Risk assessment and acting in accordance with established procedures counteract data loss

The Polish SA imposed an administrative fine of PLN 8,000 on the Mayor of the Commune of Dobrzyniewo Duże for failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The controller notified to the Polish SA a personal data breach which occurred as a result of a break-in in the employee's apartment and the theft of a laptop that contained a file with personal data. As a result, the loss of confidentiality of the personal data of the aforementioned individuals occurred.

Rules set but not implemented
It should be mentioned that the controller has adopted appropriate procedures and policies for the security of personal data processing and conducted a risk assessment that addressed, among other things, the threat of theft of the laptop used for processing. The controller was aware of the risks associated with the loss of computer equipment taken outside its organisation. It assessed the risk as unacceptable and identified, in line with the risk management approach, the safeguards to be implemented to reduce it. Among the safeguards listed to reduce the level of risk, encryption was indicated.

However, as the proceedings revealed, the stolen computer was protected from unauthorised access only by a password, and the security measures adopted in the procedures were not applied to this device.

Risk assessment should precede the implementation of appropriate measures

Processing should be conducted in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

According to the GDPR, the concretisation of the confidentiality principle is the implementation of appropriate organisational and technical measures. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

The controller, in order to counteract the potential effects of personal data breach and prevent the loss of confidentiality of personal data, may apply additional safeguards in the form of, e.g. encryption of computer hard drives, and their indication should be made as a result of a risk assessment, after proper identification of threats to personal data processed using portable computers used outside the controller's organisation.

Negligence led to the imposition of a fine

In the case of the Commune of Dobrzyniewo Duże, the controller had kept adequate documentation since the beginning of the application of the GDPR and had performed a risk assessment. It should be considered that it was aware of the need to apply appropriate organsational and technical measures to ensure the security of processing by using portable computer devices. Only after the personal data breach the controller took steps to avoid similar incidents in the future by encrypting laptop hard drives. Thus, it was only after the breach occurred that the controller complied with the results of its own risk assessment and the risk management specified therein. The controller was negligent, which resulted in the loss of confidentiality of personal data, thereby negligently causing personal data breach. In imposing the administrative fine, consideration was also given to the fact that the stolen computer was found, and the controller's investigation showed that the computer's operating system had not been run since the date of the theft.

Although the controller lost control over the personal data and an unauthorised person gained unlawful access to it, there was no basis for concluding that, as of the date of the administrative decision in question, the data subjects had suffered any damage as a result of personal data breach in issue.

Full text of the decision