Compliance with data protection regulations is a significant time and financial burden for businesses. Thus, it can cause a particularly serious problem if a privacy incident occurs, namely personal data is breached in some way. That is why the European Data Protection Board has recently published a guideline detailing the most common types of incidents and making recommendations for their prevention.

Privacy incident is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data processed.

Incidents fall into the following categories:

  • Breach of confidentiality – in which personal data is accessed or disclosed without authorization or inadvertently;
  • Breach of integrity – in which unauthorized or accidental alteration of personal data occurs;
  • Violation of availability – loss of access to personal data and destruction of personal data unauthorized or accidentally.

In practice, the following incidents occur most often, so it is worth paying special attention to their prevention:

  • ransomware – Ransomwares access and encrypt personal data managed by the data controller in such a way that the data controller cannot access it, only in exchange for the “ransom” offered by the ransomware;
  • data infiltration – The purpose of these attacks is usually to copy and misuse personal data for some malicious purpose;
  • internal human risk source – These incidents may be intentional or accidental. It is important to prevent and develop a stable internal security system to minimize risk;
  • lost or stolen devices and paper documents – Devices must be equipped with appropriate security measures to prevent unauthorized access to the data.
  • mispostal – The source of risk is an internal human error, the result of lack in attention;
  • psychological manipulation (social engineering) – such as e.g., phishing attacks, in which victims are forced to provide confidential information.

Prevention is key part, so it is worth taking the time and resources to prevent a privacy incident from occurring or cause the least amount of damage.