The security breaches are the events that most concern organizations taking into account their status as data controllers and the fines or economic sanctions provided for in the GDPR. Although it is impossible to eliminate the risk, the administrative authority will verify the existence of measures that reduce said threat.
In this regard, recital 85 of the GDPR establishes the following: »If appropriate measures are not taken in time, violations of the security of personal data may result in physical, material or immaterial damage to natural persons, such as loss of control over their personal data or restriction of their rights, discrimination, identity theft, financial loss, unauthorized reversal of pseudonymization, damage to reputation, loss of confidentiality of data subject to professional secrecy, or any other significant economic or social harm to the natural person in question.''. Therefore, the regulations recognize and specifically cite the possible consequences of inadequate management of personal data, although it is not a closed list and nor is it the ideal means of action.
At this point, it is essential to familiarize ourselves with the security breaches and the protection mechanisms established to prevent and/or mitigate their effects. As stated in Article 4(12) of the GDPR, a »breach of personal data security» is any breach of security resulting in the »accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed. otherwise, or unauthorized communication or access to said data. In this section, data protection must use all the resources that allow it to maintain the security of the information in the business units.
Consequently, in the administrative procedures carried out by the Spanish Data Protection Agency (hereinafter AEPD) linked to security breaches will be qualified if the previous conduct of the data controller has been adequate, suitable and protective of the personal data of the parties involved. The GDPR provides two important criteria to take into account, on the one hand, implementing technical security measures and, on the other hand, assume obligations of proactive responsibility taking into account the nature of each business. Firstly, in the event of a breach of this type, we will have to analyze article 34 of the GDPR in order to evaluate whether the person responsible is obliged to communicate personal data breaches to those affected, as they imply a high risk for their rights and freedoms. .
In short, articles 33 and 34 of the RGPD state the obligation to develop security and information management policies within businesses that, in addition to preventing, allow manage incidents in the best possible way. That is, if security breaches are inevitable circumstances, it is imperative to establish protocols or measures that allow us to reduce their impact. The articles mentioned implicitly convey to us an organizational requirement: a security planning.
Containment plan
We are sure that personal data as part of the information of each business is an asset and we live in an era in which security is established as a highly valuable asset as well. In short, if security breaches are unpredictable circumstances, each organization Yeah is under the obligation to establish a containment plan that allows them to reduce a possible impact. And this plan will integrate technical as well as organizational measures, among which the following can be mentioned:
- Establishment of action protocols in the face of a security breach or cyber attack.
- Appointment of a person who is in charge or coordinates information security.
- Specialized advice on data protection.
- Training and awareness of workers.
- Making periodic backups.
