2700 personal data breaches have already been reported to the Office of the Data Protection Ombudsman
Organisations’ obligation to report started in May 2018, when the General Data Protection Regulation (GDPR) was enforced. The Office of the Data Protection Ombudsman has noticed that the reporting threshold varies by organisation.
The Office of the Data Protection Ombudsman must be notified of personal data breaches, if the breach could cause a risk to the rights and freedoms of natural persons. The criteria used in the risk assessment include what kind of personal data was involved and how serious are the potential consequences of the data breach, for example.
The risk to the data subject must be considered in the risk assessment related to a personal data breach. This is not a business risk assessment, even though the risk to the data subject may also indirectly cause a business risk.
After notifying the Office of the Data Protection Ombudsman about the data breach, controllers can get advice relating to the protection of personal data and whether the people affected by the breach must be notified about the breach or not. If necessary, the Data Protection Ombudsman may order the organisation to comply with the obligations in accordance with the GDPR.
Notifications are usually assessed on a case-by-case basis, but the activities of the controller may also be reviewed as a whole. Because the data breaches reported to the Office of the Data Protection Ombudsman differ from each other a great deal, giving general instructions on risk assessment and handling breaches is challenging.
The reporting threshold varies by organisation
The Office of the Data Protection Ombudsman has noticed that the reporting threshold varies by organisation. The reporting practices can vary widely even within the same field.
The number of reports received from an organisation does not necessarily indicate that the protection of personal data is inadequate. Reports may also be a sign of the organisation being familiar with the data protection legislation and the obligations related to personal data breaches. In fact, the largest number of reports has come from regulated fields, especially health care, telecommunications and the financial sector.
The number of reports on personal data breaches also varies between EU and EEA countries. The number of reports made in Finland has been comparable to Sweden. The data protection authorities monitor and analyse the development of the situation.
Organisations must improve their precautions against phishing messages
Phishing attempts involving Office 365 user IDs and passwords continue actively, causing personal data breaches. Phishing attempts via email are targeted at both private individuals and organisations.
The phishing messages are often skilfully fabricated. The messages and the webpages to which their links lead may look completely accurate, as if they really came from your own organisation.
Organisations should take precautions against phishing messages by training the management and the employees regularly. Organisations should specify in what kind of services or websites the organisation members are allowed to enter user IDs and passwords. The personnel should also be advised on how to check that the URL address is valid and other similar issues.
The data security features of applications should also be used more effectively. Controllers should activate the data security and logging features of Azure AD, O365 and the Exchange service. The default settings are not enough when trying to discover the course of events after the fact in data breach cases and find out what kind of personal data was leaked from the organisation to the attackers.
Data Protection Ombudsman Reijo Aarnio, tel. +358 40 520 7068, reijo.aarnio(at)om.fi
Personal data breaches
Data breach notification
Website of the National Cyber Security Centre