You do not care about the security of information, take into account the penalty from the President of the Personal Data Protection Office

13 Jan 2022
Jakub Wietrzyński

On January 11, another information about an administrative fine in the amount of PLN 45 thousand appeared on the UODO website. zlotys, this time imposed on the Warsaw University of Technology. Interestingly, this penalty is once again related to the Administrator’s failure to apply appropriate technical and organizational measures to ensure the ability to continuously ensure the confidentiality of processing services, also for the lack of regular testing, measurement and evaluation of the effectiveness of measures.

Or at least that’s what we can read from the general message published on the website. However, I encourage you to follow the decision of the President of the Personal Data Protection Office in more detail ( https://www.uodo.gov.pl/decyzje/DKN.5130.2559.2020%20 ).

We read in it, inter alia , that the violation of the provisions of the GDPR consisted in:

  • failure to apply appropriate technical and organizational measures to ensure the ability to ensure the ongoing confidentiality of processing services
  • the lack of regular testing, measurement and evaluation of the effectiveness of technical and organizational measures aimed at ensuring the security of personal data processed in the IT system – including the explicitly indicated failure to perform penetration tests of applications allowing to detect the system’s vulnerability to attacks from the public network,
  • failure to take into account the risk related to the processing of user passwords in the application in the form of a hash function, which does not provide a sufficient guarantee of security,
  • too short storage of system logs and the lack of functioning of the detailed event log in the application.

As part of the risk analysis, who of you takes into account aspects related to the quality of the hash function (password hash), the manner of keeping and the content of administrative and event logs, or the system’s resistance to attacks from the public network? How many Administrators test the actual security, and how many simulate the risk analysis process by entering in the Excel sheet on one side of the table “risk of breach of confidentiality of personal data” and on the other “low risk level”

In most organizations, such a light approach to the risk analysis process results from the lack of appropriate competences and experience. Therefore, I would like to remind you that it is possible to ask for help from external entities specialized in issues related to the protection of personal data and information security, such as Blue Energy.

We invite you to use our services in the field of:

#GDPR
#IT
#security
#Tests

See also

19 Apr
#GDPR
#IT
#security
As an Administrator, can you choose the appropriate technical and organizational security measures necessary to ensure compliance with the GDPR?

The President of the Personal Data Protection Office imposed an administrative fine on the President of the District Court in Zgierz. The fine is not spectacular in terms of amount (PLN 10,000) and was imposed last year, but it is still worth paying attention to.

Read more arrow
01 Mar
#GDPR
#IT
#security
#Tests
“Control” is the highest form of trust – why is it worth auditing your processors?

February 28 this year. information about an administrative fine appeared on the UODO website. It was imposed on Fortum Marketing and Sales Polska. The President of UODO imposed an administrative fine in the amount of PLN 4,911,732.

Read more arrow
Did not find what you are looking for?
Write to us arrow