CORRECT IDENTIFICATION OF RISKS ALLOWS FOR RIGHT CHOICE OF SAFETY MEASURES
Adjustment of processing operations by conducting a risk analysis to estimate its appropriate level. Implementation of appropriate technical and organizational measures to ensure the ability to quickly restore access to data in the event of an incident. Providing regular testing, measurement and evaluation of effectiveness –ensures safety of processing data in an organization.
Personal data must be processed in a way that ensures adequate security of personal data, to include protection against unauthorized or unlawful processing against accidental loss, destruction or damage. The adequate security is to be achieved by appropriate technical or organizational measures (“confidentiality, integrity, availability”).
Obligation to ensure processed data security is the foundation of legal protection of personal data. The GDPR does not impose specific measures to ensure data security. A data controller is given free rein in this respect.
While specifying a principle of confidentiality, it should be remembered that a controller should implement appropriate technical and organizational measures in order a processing to be in accordance with the GDPR. Identification of technical and organizational measures is a two-step process. Firstly, it is vital to determine a level of risk related to processing of personal data, secondly it is necessary to determine what technical and organizational measures will be appropriate to ensure a level of security that corresponds to the risk.
An administrator should not use software that has lost manufacturer support. In such cases one should remember that no software, security and patch updates are provided for the system used. Lack of built-in and updated security measures, increases, in particular, the risk of vulnerability to infection with malware and attacks by creating new security holes.
Failure to carry out risk analysis, failure to identify threats and failure to implement appropriate organizational and technical measures lead to a breach of personal data protection by breaking an administrator’s IT security system used for processing personal data. It results in an encryption of the processed data in the IT system with the use of malicious software.
The internal manual of managing IT systems should define the rules for making backups and verifying correctness of their preparation. It is advisable to develop procedures regarding quick restoration of data availability.