The Catalan Data Protection Authority (APDCAT) has registered, from 1 January to 31 December 2021, 124 notifications of personal data security breach (NVS), which represents an increase of 42 .5% over last year. This increase is attributed to the progressive knowledge that those responsible for processing have been acquiring of the obligation to notify imposed by the General Data Protection Regulation (RGPD) and also to the increase in the appointments of protection delegate. of data, a key figure in the fulfillment of the normative obligations to the entities.
In accordance with the regulations, the entities included in the area of competence of the APDCAT must notify you of any incident that affects the confidentiality, integrity or availability of the personal data for which they are responsible, unless it is unlikely that it constitutes a risk to the rights and freedoms of individuals.
More than two million people affected
These violations have affected more than two million people, a figure that could even be higher since in eight cases it has not been possible to specify the number of people affected. Thus, the total number of people affected has almost doubled compared to the previous year.
As for the cause of the security breach, in 2021 the malicious external act (50%) has overcome human error (43%). Specifically, with regard to malicious external acts, cyberattacks account for 30% of reported violations (phishing, hacking and ransomware) and the theft of devices and documentation, the remaining 20%.
In all these cases, the APDCAT has analyzed whether measures have been taken to resolve or contain the data security incident, limit its risks to those affected and prevent, as far as possible, produce again. Likewise, in all cases where there has been a high risk to the rights and freedoms of the holders of the data affected by the violation, the obligation to communicate provided for in the RGPD has been complied with. In some cases, this communication has been made on the initiative of the entity and, in others, at the request of the Authority.
Due to the nature of the breaches, the vast majority of incidents are affected by the confidentiality of the data, and in some cases (11%) together with the availability. This prevalence of confidentiality has remained constant and with similar percentages since June 2018, with the full application of the RGPD. A much smaller percentage is affected by the availability and, finally, the integrity of the data, which has halved compared to 2020. It should be borne in mind that security breaches can affect, at the same time, the confidentiality, availability and integrity.
Following the trend since 2018, most of the violations affect contact and identification data. However, in 2021 the percentage order has been reversed compared to the previous year, as the impact on contact data has increased considerably, from 63% in 2020 to 87%. 2021. This is followed by data on special categories (mostly health), which, however, have gradually decreased compared to previous years, so that the percentage has fallen from 42% in 2019 and 29% in 2020, up to 24% by 2021.
With regard to the groups of people affected, in 2021 the registered security breaches have had a greater impact on self-employed workers (65%) and the public (52%), with substantial increases compared to the previous year ( which were 34% and 32% respectively). By contrast, those affecting minors and other particularly vulnerable groups have declined.
Most of these NVS come from the local administration and the Generalitat but, as in previous years the proportion between the two types of entity was quite balanced, in 2021 the difference has widened: while the percentage of cases corresponding to the local administration has increased by 10% compared to 2020, the entities of the Generalitat de Catalunya have decreased by 8%.