Data and Information
In the past years, security, and compliance with the GDPR came in to focus of IT. In this regard, we would like to present our new service portfolio supporting developments, which has recently included support for data protection and security considerations in the code of user systems.
We are convinced that there is still much to be done in this area. Among other things, thecompliance of the software code of the application systems with regard to security and data protection requirements is not the focus of attention at an adequate level. The lack of this is shown by the few spectacular negative examples when confidential information falls into unauthorized hands through software vulnerabilities. Everyone is interested in the security of the operation, but few people think about how many ticking data security bombs are hidden in the software code of inadequate quality, which even careful operation will not be able to prevent.
The data protection and security competence newly added to the development supporting portfolio of Spirity Enterprise Zrt. tries to reduce this gap. Our experts with technical and legal qualifications with international IAPP certification can help you. If it is necessary to review the processes envisioned in connection with GDPR preparation, such processes need to be created anew, or advice is generally needed on security issues arising around the development, we are happy to be available. While many believe GDPR raised the bar for privacy and introduced only administrative requirements, the regulation uses the words data protection, and for a good reason. Since May 2018, there have been multiple enforcement actions by Supervisory Authorities, significant part of which dealt with IT security. GDPR requires companies to assess the risk of personal data held and adopt proportionate security measures. Some of the enforcement actions allow us to understand, what Supervisory Authorities did consider appropriate measures for the protection of personal data and which should be considered by companies.
Bulgarian Supervisory Authority fined the National Revenue
Agency EUR 2.6 million for inadequate technical and organizational security measures. It ordered the agency to
introduce comprehensive risk analysis of systems and processes within 6 months. The UK Information Commissioner set out a fine of EUR 204 million to Marriott for failing to undertake sufficient security due diligence.
In Poland, the operator of Morele.net has been fined EUR 640.000 for not implementing adequately strong authentication methods to systems containing personal data. Italian Supervisory Authority fined the IT infrastructure operator Rousseau Association EUR 50.000 for not implementing security logs of high privilege actions in databases.
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of
security appropriate to the risk.” European Data Protection Board guideline on privacy by design and default: “a responsibility on the controllers to continually assess... whether the chosen measures actually counter the existing vulnerabilities. Furthermore, it should be understood that controllers must conduct regular reviews of the information security measures that surround and protect the personal data, and the procedure for handling data breaches.”