An international survey by the Global Privacy Enforcement Network (GPEN), in which the Catalan Data Protection Authority (APDCAT) participated, finds that there is a high level of awareness among those responsible for the processing of personal data regarding the obligation to report violations of personal data security
March 2020
According to the GPEN survey, 84% of organizations surveyed have systems in place to report security breaches, including a designated team or group responsible for managing security breaches.
The organizations surveyed show a high level of knowledge of best practices for responding adequately to security breaches, although it should be noted that the results were obtained only from entities that voluntarily accepted the offer to participate, which in the case of Catalonia was 57% of the entities surveyed, although in other areas it was lower.
Survey findings
It was found that a high percentage of organizations (84%) from all sectors and jurisdictions involved would have appointed a team or group responsible for managing security breaches, who should be informed of non-compliances.
Some 75% of organizations' procedures involve key elements, such as threat containment and associated risk assessment. Of the responses related to this question about procedures, 18% were "poor", indicating that these policies could be clarified in order to specify and anticipate the key steps to be taken in order to adequately respond to a security breach.
In 65% of organizations, it was found that there were "very good" or "good" procedures to apply after a security breach and to prevent them from occurring in the future. However, the other organizations in this category have "poor" procedures, or have not specified a response.
In the case of organizations without internal policies, they indicate that they rely on the guidelines published by their Data Protection Authority of reference, when necessary. One respondent described his security breach assessment system, stating that he had implemented a red, amber, green (RAG) rating system. They stated that this system takes into account the number of files affected, the sensitivity of the data, the damage caused, the containment of the breach, whether the information was recovered and whether the data was encrypted.
Reporting of security breaches is mandatory in 12 of the 16 jurisdictions that participated in the survey. Almost all surveyed organizations are aware of the relevant legal framework, including notification conditions and deadlines. Only five organizations showed a misunderstanding of the legal framework.
The information and advice provided by the local Data Protection Authorities (DPA) on the notification of security breaches, is considered useful by most of the organizations surveyed. However, smaller organizations say they have struggled to assimilate large amounts of information. This, together with the lack of resources of these small organizations, would have prevented them from developing sophisticated policies and procedures in relation to the management of security breaches.
Expectations are not met
Despite having a good knowledge of the obligations, the survey shows that many organizations do not meet expectations, in the sense that they do not have an internal control or monitoring plan, in relation to data protection standards, for managing security breaches. Specifically, more than 30% of organizations do not have programmes in place to conduct self-assessment and/or internal audits.
About 45% of responding organizations indicated that they keep up-to-date records of all security breaches suffered, or potential violations.
Participation of the Catalan Data Protection Authority
As in previous years, the Authority has participated in the annual GPEN survey.
On this occasion, several entities within the scope of control of the Authority (Departments of the Generalitat, Universities and Professional Associations, as well as randomly selected Town Councils) were surveyed on how they manage mandatory notification to the APDCAT.
Specifically, respondents were asked various questions about their level of knowledge regarding the obligation to report security breaches and how to do so; about security incidents they have suffered; how they managed them; on the existence of action protocols; on the response received after notifications; on communication to affected people; and also on their knowledge regarding the risk assessment of a security breach.
The responses help the Authority to grasp the level of awareness of the responsibilities of those in charge of detecting and reporting security breaches, and how they have to deal with such breaches.
The report prepared by APDCAT can be found here.
Final notes
1.The GPEN was set up in 2010 on the recommendation of the Organization for Economic Cooperation and Development (OECD). Its aim is to foster cross-border cooperation between privacy regulators in an increasingly global market, in which trade and consumer activity are based on the flow of personal information across borders. Participating Authorities seek to work together to strengthen privacy protections in this global context. The informal network is made up of more than 60 Authorities in 39 jurisdictions around the world.
2.GPEN is currently chaired by the Office of the New Zealand Privacy Commissioner.
3.For the survey, a set of predetermined questions related to the current practices of the surveyed organizations was prepared in order to record and report data violations.