4th scientific conference "Information security in the organisation and security of its resources"
IV scientific conference "Information security in the organisation and security of its resources" - report
On November 26, at the Centre for Modern Information Technologies in Katowice, the IV scientific conference dedicated to information security and personal data protection in organisations was organise on the initiative of the Personal Data Protection Office and the Department of Economic Law of the Faculty of Finance of the University of Economics in Katowice.
The debate focused on the challenges posed by the development of digital technologies for data protection in public administration, education and business.
The event was attended by specialists in the field of cybersecurity, audit and law of new technologies, employees of the Personal Data Protection Office and members of the Social Team of Experts to the President of the Personal Data Protection Office (Mariola Więckowska, Dr Stanisław Hady-Głowiak).
The conference was opened by Prof. Maciej Nowak, Vice-Rector for Science and Academic Staff Development of the University of Economics in Katowice.
During the event, the following topics were discussed: ethical aspects related to the processing of personal data in educational institutions and public universities, changes in the role of the DPO after eight years from the introduction of the GDPR, modern technologies as challenges in public administration, human resources in relation to organisation security, cyberattacks in administration.
Dr Roman Sobotka from the Law and New Technologies Department of the Personal Data Protection Office in his speech focused on personal data used by new technologies. He discussed not only the provisions of the GDPR, but also the case-law of the Court of Justice of the European Union regarding such data as: dynamic IP address, the exam grade containing the examiner's comment, VIN number (Vehicle Identification Number), number assigned to the Internet user in order to send him personalized advertising.
He also pointed out the areas where the use of artificial intelligence is the most common and what are the benefits and risks associated with it. In doing so, he discussed EDPB Opinion 28/2024 in which the use of personal data in AI models was commented.
During the discussion, a lot of practical advice appeared, especially related to today's, often incomplete or erroneous, definition of the concept of security and the concept of data in public administration, public institutions and organisations.
The advice and conclusions addressed, inter alia, the application and relevance of the GDPR in the face of new technologies. Speakers pointed out that the General Data Protection Regulation is ‘technologically neutral’, it means, that it is in its core prepared for data protection in a world of fast-changing technologies, including artificial intelligence.
Data minimisation is also covered. Experts pointed out that excess data cannot amount as knowledge, because knowledge is always structured data – excess can be harmful and makes it difficult to identify threats and increases the risk of error.
The conclusions also addressed the role of individuals and their responsibility in the workplace. In this area, it was pointed out that risk analysis is the responsibility of each individual in the organisation, and employees are the weakest link in data protection practice not because they do not comply with the rules, but because they do not know that they should report any security concerns or do not know who to report them to. Speakers also pointed out that there is still too little training for employees.
During the conference, it was also explained that data security risks arise, among others, when a system is introduced to an institution without knowing the specifics of that institution. The importance of checking security systems and documenting these processes was stressed as well.
Conference participants could also benefit from legal consultations in the field of personal data protection conducted by the expert from the Personal Data Protection Office.