Simplify tax filing with qualified e-certificate
5 octubre 2021
Cybersecurity awareness month
19 octubre 2021
According to the latest report of the Spanish Data Protection Agency (hereinafter, AEPD), 1370 personal data breaches were reported in our country in 2020. Putting the rights and freedoms of individuals at risk carries a high penalty. If you want to prevent your company from being threatened, we invite you to read this post.
What is a personal data breach?
Personal data breaches are all those security breaches that result in the accidental or unlawful destruction, loss or alteration of personal data of natural persons - identified or identifiable - whose data is processed by a controller or processor. Excluded are those that take place in the domestic environment.
The security of personal data is regulated in articles 32 to 34 of the GDPR, which deal with security in processing, notification of the breach to the supervisory authority and communication to those affected.
To simplify notification, in June 2021, the AEPD updated the form that it has enabled for persons responsible for the processing of personal data to comply with their obligation to notify breaches that have occurred.
Main causes
In January 2021, the European Data Protection Board (EDPB) published a guide with examples of personal data breach notifications.
These are the main causes of personal data breaches:
- Ransomware
- Data exfiltration attacks
- Sources of internal human risk
- Loss or theft of devices and paper documents
- Human error
Penalties for non-compliance
Failure to comply with the obligation to notify a security breach is classified as a serious infringement, the penalty for which can be up to 10,000,000 euros or the equivalent of 2% of the total annual turnover of the previous year (whichever is greater) under the provisions of Article 83.4 of the GDPR.
On the other hand, if the notification was made in due time and form, and if it evidences the diligence of your organization in the adoption and implementation of ex ante and ex post security measures to mitigate the effects, you will avoid being sanctioned, as you have complied with the duty imposed on you as a data controller, of proactive responsibility (article 5.2 GDPR).
Have a certified DPD
Certified Data Protection Officers (DPOs) have the necessary training and skills to ensure compliance with the principles relating to the processing of personal data; to keep evidence to comply with the principle of proactive responsibility in all these matters; and to inform and train the entire whole staff to take appropriate measures to prevent data breaches. The certified DPD can also advise you on Data Protection Impact Assessments (DPA) so that you can identify, assess and address the risks associated with your processing activities before you start them and ensure that the processing you are carrying out complies with data protection legislation from the outset.
Certification is the only way to objectively and impartially assess that the DPD has high levels of competence and professionalism for the exercise of the functions entrusted to this figure. ANF AC, as a Certification Entity recognised by ENAC, has the necessary technical competence for the certification of the DPD in accordance with the AEPD Scheme.
If you have successfully passed any of the courses given by the Training Entities recognised by any Certification Entity1 and/or accredit sufficient professional experience2 in functions related to those of the DPD, do not hesitate to take the last step and get certified.
1 Consult here the training programmes recognised by ANF AC.
2 For access to the experience-based assessment phase, please refer to section 7.3 on prerequisites, which lists the years of experience required and how to prove them.