Reading time
10 minutes
What will you learn?
You will learn a few key terms relating to data breaches and ways in which you can prevent data breaches as much as possible.
Summary
‘A data breach concerns the unauthorised access to or unintentional release of personal data. But it also concerns the unwanted destruction, loss, modification or disclosure of personal data', according to the definition of the Dutch Data Protection Authority. So a data breach can refer to the loss of a USB stick containing personal data, but also the unintentional sending of a series of your colleagues’ email addresses to an external supplier.
When collecting and sharing personal data, you can minimise the risk of data breaches occurring by thinking critically in each case about which personal data is strictly necessary in order to the fulfil your desired purpose, deleting this data again when it is no longer necessary for fulfilling that purpose, informing the data subjects about the processing of their data in a transparent manner and taking all protection measures discussed previously.
Here, too, it is important to be properly informed about the rules of conduct in relation to the classification of information: which actions are you allowed to take with which types of information? If things do still accidentally go wrong, you must inform the [insert department] of this immediately.
The 'Nonofficial Cover List', also referred to as the 'NOC list', was the list of all names of secret CIA operations and the people who took part in them. This list formed the basis of the film ‘Mission Impossible’, in which Tom Cruise is motivated to take extreme measures to steal it...
If the NOC list were stolen, that would constitute the biggest data breach in CIA history. It would mean that all operations and infiltrators would be revealed to the outside world in one fell swoop. Fortunately, most education institutions do not have this kind of top secret material at their disposal, but even at an education institution, there is enough personal data that you prefer not to share with unauthorised persons...
And frankly, a data breach need not be very serious at all to have unpleasant consequences for the data subjects involved. The intentional or unintentional sharing of data such as salary scales, medical data or even email addresses is already considered a data breach. An accident might be just waiting to happen. Have a look at this example:
That's how quickly and easily a data breach can occur. Often there are no bad intentions behind it, but human clumsiness, which can have big consequences for the data subjects involved. The principle ‘Only allow the right people access to the right data’ therefore sounds extremely obvious, but requires a procedure which prioritises privacy and security with each and every action taken (particularly in the handling of personal data). Fortunately, you can greatly reduce the risk of a data breach occurring by teaching yourself to follow a few simple routines.
The General Data Protection Regulation (GDPR) is about personal data. The first question is therefore always: in which operations in my work do I process personal data? The GDPR applies only to those operations. Watch the general video below about the GDPR first and then read the key points for dealing appropriately with the GDPR in your work.
So the GDPR is based on six principles, which are also referred to as the rules of thumb. These rules of thumb are important for employees when working with personal data. By consistently applying these rules of thumb, you can lower the risk of mistakes being made in the handling of personal data.
The six rules of thumb, plus, in each case, a corresponding question, are listed below. If, in the course of handling personal data, your answer to one of these questions is ‘no’, then you will have to adjust the way in which you collect or share your personal data, for example by better informing the data subjects (‘Transparency’), destroying the personal data (‘Storage limitation’) or asking for a nickname rather than a real name in a particular app (‘Data minimisation’).
A data breach concerns the unauthorised access to or unintentional release of personal data. But the undesirable destruction, loss, modification and disclosure of personal data are also considered a data breach. The General Data Protection Regulation pertains only to living individuals. If an archive folder from the Faculty of Archaeology containing the first and last names of deceased soldiers from 1918 is stolen, that does not constitute a data breach.
If a laptop or other business device is stolen, that does not necessarily mean a data breach has occurred, either. If you have always worked in the cloud wherever and whenever you have used the laptop and there are no files saved locally on it, then the fact that it has been stolen is very unpleasant, but it does not constitute a data breach. The situation is different, of course, if an unencrypted USB stick containing medical files or a paper version of the facebook falls into unauthorised hands.
So when is something considered a data breach? In principle, that is not for you to decide. That may sound inconvenient, but in our organisation, that responsibility lies with [insert contact details]. So anytime something goes wrong in relation to personal data, it is therefore essential that you report it to them immediately. If you fail to do that and the mistake is discovered later, then the consequences for the data subjects will in most cases be more serious than if you had reported the incident straightaway.
Moreover, your organisation may be required to report the incident to the Dutch Data Protection Authority. If that is the case, this must be done and soon as possible after the incident has occurred; reporting the incident late may lead to your organisation incurring a large fine. You should therefore report incidents immediately (and not hours or days later) to [insert contact details], even if you are unsure whether the incident in question meets the definition of a data breach.
What are some examples of possible data breaches?
- Emailing documents or text containing personal data to the wrong recipient.
- Emailing your colleagues’ email addresses in CC to the wrong recipient (an email address is also personal data if it can be traced back directly to a specific person).
- Unintentionally or inadvertently losing access to personal data.
- If there is ransomware installed on your computer as a result of which hackers can gain access to your files.
- Improperly configured authorisation in a collaborative environment in which personal data is also stored.
- Using the your manager's account to log in, as a result of which you have unauthorised access to HR data of your colleagues.
- Sharing personal data with an external party without having made clear agreements (in accordance with the GDPR) about it.
- Leaving printed documents containing personal data in the printer or the rubbish bin.
Classification refers to assigning one or more labels to information (e.g. information in a digital or printed document, confidential discussions, etc.), so that you as an employee know how you may/must handle the information, for example where you are permitted to publish a document, how big the risk is if an unauthorised individual eavesdrops on a confidential discussion or if they read a whiteboard on which confidential information is written. By being aware of the classification of information, you can reduce the risk that the content will be improperly distributed and, as such, of possible data breaches. You can read here [add download location] which classifications we apply and what the etiquette is for each classification.
Authorisation determines which employee has access to which information. Each employee must only have access to the information relevant to their specific position. If, for example, you share a particular folder with your colleagues in the cloud, be extra careful that only those individuals who are authorised to view the content are given access to it. Always ask yourself: who will be able to access these files if I save them in a particular folder? Is it necessary to lock the folder for added security? And who should I CC when sending out a sensitive document (thus giving them access to that document)?