Risk assessment and adherence to procedures key to personal data security

The President of the Office for the Personal Data Protection Office imposed a fine of PLN 23,000 on the Disciplinary Advocate of the Bar Association for a breach of RODO. The breach consisted of the loss of an unsecured data carrier (a memory stick) that contained recordings of a divorce hearing.
Although the data controller had implemented internal regulations for the security and protection of personal data, it did not comply with them. Despite the existence of a procedure for encrypting data carriers before sending them, employees of the Ombudsman’s office failed to encrypt the flash drive, which ultimately led to a breach of personal data protection. The President of the UODO also emphasised in the justification of his decision that the protection of data on external data carriers must focus on preventing unauthorised access in case of loss of the carrier.

The consequences of a breach are a reminder of the need to continuously review the effectiveness of security measures, no matter how well defined internal procedures are. These measures should include regular security reviews and updates, as well as training of employees on how to comply with data protection regulations.