Only correct analysis helps to adapt measures and procedures to the assessed risk

An administrative fine of PLN 10 000 was imposed on the City and Commune Mayor. It turned out that this controller did not apply adequate organisational measures to prevent a personal data breach that occurred as a result of unauthorised copying of personal data files. It could have prevented this by conducting a risk analysis beforehand.

The controller notified to the Polish SA a personal data breach involving an employee making a copy of personal data from a company computer to an unauthorised medium. As it turned out, this controller, until the date of the breach, had not used port encryption and other tools to prevent the transfer of data to an unauthorised storage medium.

In the Polish SA’s opinion, taking into account, in particular, the scope of personal data processed by the Mayor and contained in the copied documents, this controller was obliged to take measures ensuring an appropriate level of data protection.

The introduction of solutions adequate to the predetermined level of risk should also take into account the nature of the given organisation and the personal data processing mechanisms used. Therefore, the controller is to carry out a detailed analysis of the conducted data processing processes and carry out a risk analysis, and then apply such measures and procedures.

Risk analysis is crucial

The supervisory authority's proceedings shows that the controller did not carry out a risk analysis for the processing of the data affected by the breach. Meanwhile, this activity is crucial for the selection of appropriate technical and organisational measures. Moreover, risk analysis should be documented and justified on the basis of the factual circumstances existing at the time of its performance.

Where the controller has made provisions for the use of portable storage media, a proper analysis could indicate the possible risks arising from their misuse, e.g. when an employee copies data stored on the company computer to a portable storage media. The results of the analysis carried out would make it possible to identify and implement appropriate technical and organisational measures to ensure the security of such data.

Monitoring the effectiveness of safeguards

The adjustments of personal data processing operations in any organisation cannot be episodic. The protection of personal data is a continuous process and should be updated on an ongoing basis, depending on the operations taking place. In the present case, the controller did not monitor both the adequacy and effectiveness of the safeguards in place.

Although the controller conducted training courses covering personal data protection issues, it was not able to prove that the person who caused the personal data breach attended those training courses.

The implementation of appropriate technical and organisational measures, as well as the introduction of actions aimed at optimal security and configuration of the used resources, tools and devices should be regularly tested, measured and assessed as to the effectiveness of the applied solutions.

In the factual circumstances, the controller's failure to conduct a risk analysis prior to the occurrence of a personal data breach meant that it was unable to demonstrate whether the solutions adopted actually provided adequate security. The consequence was the unauthorised use of a portable data storage medium by an employee.

Full text of the decision (in Polish)