Personal data protection /

Practical guidance for responding to data breaches

More and more often, administrative penalties imposed by the President of the Personal Data Protection Office (UODO) result from negligence in identifying a personal data protection breach (e.g. the recent penalty imposed on and the Medical University of Silesia). The new EROD guidelines (currently under review) are intended to help data controllers determine when to report a breach to the supervisory authority and to inform data subjects. They also include a set of recommendations on how to prevent breaches from occurring.

The guidelines focus on the most common breaches, which include ransomware attacks, theft of data from IT systems, loss of devices or data storage, and human error.

How to respond to data breaches?

  • The authors of the guidelines advise to prepare well in advance for a potential data breach. An internal instruction manual containing a course of action may be helpful, so that the administrator’s employees know what steps to take in order to minimize the consequences of the breach.
  • Having identified a data breach incident, the controller should immediately start analysing whether it poses a risk of infringing the rights or freedoms of individuals, and if it does – to notify the President of the Personal Data Protection Office (UODO). A notification of a breach should not be delayed until the investigation of its causes has been completed or measures have been taken to mitigate its effects.
  • The deadline for notification is 72 hours maximum, but in case of high-risk violations, delaying notification until the end of the deadline may be considered unsatisfactory.

How do you protect yourself from data breaches?

  • Human error is difficult to eliminate. Staff training and clear guidelines for handling personal data can help – especially when it comes to sending correspondence and sharing data on IT systems. Sometimes simple actions such as setting up an email box to delay sending messages can improve data security.
  • Portable devices (such as flash drives) are not a good place to store sensitive data. If a controller uses such devices, they security can be improved by using encryption, passwords, privacy filters or programs that allow remote deletion of data, and by giving clear guidelines for staff on the use of such devices inside and outside the company.
  • The controller should create backups of data processed in IT systems and secure them properly. A well prepared backup system reduces the risk of losing data availability.
  • IT systems should be tested regularly to detect possible irregularities.
  • There should be an adequate level of identity verification when registering to IT systems and a password policy.
Author team leader DKP Legal anna szymielewicz
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Anna Szymielewicz

Contact us

Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Swobodna 1
50-088 Wrocław
+48 61 853 56 48[email protected]
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]