What is an incident in the protection of personal data?
Two issues are particularly important in the protection of personal data - the occurrence of threats to the security of personal data and incidents related to their protection. Each person employed in the company is obliged to inform ABI about any threat or breach of personal data protection. What is an incident in the protection of personal data and how to prevent it? We explain below.
Threats to the security of personal data
The basic threats related to the security of personal data include:
non-compliance with the principles of personal data protection by employees (e.g. non-compliance with the principle of a clean desk / screen, password protection, etc.),
inadequate physical protection of premises, devices and documents,
inadequate protection of IT equipment or software against leakage or loss of personal data.
Fight against threats to the security of personal data
In the event that threats to the security of personal data are identified in the company, ABI (Information Security Administrator) is obliged to conduct an explanatory procedure, during which it is necessary to:
determine the scope and causes of the threat and its possible effects,
initiate any disciplinary action,
recommend actions aimed at the elimination of similar threats in the future,
document the conducted proceedings.
Incident in the protection of personal data - definition
The Act on the Protection of Personal Data does not explicitly define what an incident in the protection of personal data is. A detailed explanation of this concept can be found in the PN-ISO / IEC 27001 standard. According to its content, an information security incident should be understood as a single event or a series of undesirable or unexpected events related to information security, which pose a significant probability of disrupting business activities and threatening security. information.
There are three main groups of incidents in the protection of personal data:
deliberate incidents (e.g. theft of data and equipment, disclosure of data to unauthorized persons, deliberate destruction of data, hacking into an IT system or premises),
internal random events (e.g. computer / server / hard drive / software failure, errors of IT specialists, data loss),
external random events (e.g. fire, flooding, loss of power, loss of communication).
Start a free 30-day trial period with no strings attached!
Incident in the protection of personal data - practical examples
Incorrect addressing of electronic correspondence
E-mail boxes are now equipped with the option of saving addresses. It is a very useful functionality, but it may cause an incident in the protection of personal data. Because when preparing an e-mail for dispatch, the e-mail address suggestion function is used, which often lulls the sender's vigilance, who does not verify their correctness.
Not hiding e-mail addresses when sending bulk
When sending mass electronic letters (e-mails), remember to use the function of hiding individual recipients (except the main one). Because making them public may have unpleasant consequences and damage the image of the company that provided the data.
Loss of data carriers
Telephones, smartphones, laptops, portable disks or even ordinary folders with paper documents are carriers of personal data. Their loss, i.e. theft or loss, should be classified as an incident in the protection of personal data. This type of data carriers contains a lot of sensitive information, which, if not properly encrypted, could fall into the wrong hands. The best example of this is the employee's private smartphone, configured with his company mail, which includes e-mail addresses, contractor data, etc.
Any loss of personal data carriers should be reported to the Information Security Administrator.
Incorrect deletion of data
Often in companies, employees destroy paper documents by tearing them and throwing them into the trash bin located under the desk. This is not a good solution, because contrary to appearances, this type of documents can be recovered. In order to properly delete personal data in the form of a paper version, use a shredder.
However, in the case of electronic media, specialized data deletion software should be used.
What to do when an incident in the protection of personal data is detected?
In the event of an incident in the protection of personal data, ABI carries out an investigation, during which it must:
determine the time of violation, its scope, causes, effects and the amount of damage that have occurred,
secure any evidence,
identify the persons responsible for the infringement,
take corrective measures (removing the effects of the incident and limiting the damage),
initiate disciplinary action,
draw conclusions and recommend corrective actions that will aim to eliminate the likelihood that a similar incident in the protection of personal data will occur in the future,
document the proceeding.
To sum up, each company (or other entity) processing personal data should make its employees aware of issues related to the protection of personal data so that in the event of threats or incidents related to the protection of personal data, they are able to correctly identify them and report them to their supervisor or ABI -emu.