On the third anniversary of the beginning of the application of the General Data Protection Regulation (RGPD), the Spanish Data Protection Agency (AEPD) has published a statement in which it informs that So far in 2021 alone, it has managed more than 700 reported data breaches.
Despite the fact that the GDPR began to apply three years ago, in 2018, users continue to face significant risks. According to the AEPD, most of these breaches are produced “by an external and intentional attack”, being attacks with computer viruses type ransomware -those who restrict entry to part of the system and ask for a ransom for releasing files- the most frequent threat.
Is the GDPR efficient? 36 months after the actual implementation of one of the strictest laws in the world on the subject of Privacy and safety, some experts believe that it has not shown the expected effectiveness.
Almost half of European companies – 43% – believe that they may be the target of a cyber attack Yet many of them ignore their reporting obligations: companies are supposed to report breaches in their databases to the relevant authority within 72 hours of the attack being discovered, but a CrowdStrike study reveals that three out of ten companies that have been the victim of a cyber attack do not report on time.
Regarding prevention, according to this study, just over half – 55% – of these companies consider themselves prepared for an event of safety, but only 34% have specific protocols in case of being attacked.
The AEPD has released this Tuesday the data for the first five months of 2021 on the occasion of the publication of an update of its ‘Guide for the notification of personal data breaches’, a document that aims to guide those responsible for the processing of personal data in their obligation to notify them to the data protection authorities and communicate it to the people whose data has been affected.
“The main purpose of this update is facilitate the effective and efficient fulfillment of the ultimate objectives of the notification of personal data breaches: the effective protection of the rights and freedoms of people, the creation of a more resilient environment based on the knowledge of the vulnerabilities of the organization and the guarantee of legal certainty by providing those responsible for a means to demonstrate diligence in compliance of their obligations ”, has detailed the AEPD.
Likewise, he recalled that “Any organization is exposed to a personal data breach that may affect people’s rights and freedoms., and is obliged to manage it properly ”. “This incident may have an accidental or intentional origin and, generally, causes the destruction, loss, alteration, communication or unauthorized access to personal data,” he stressed.
Communication to those affected
As a complement to this guide, The agency recalled that it has a tool called ‘Communicate-Gap RGPD’, which offers assistance to organizations in deciding whether or not to communicate a data breach to affected persons, an obligation independent from reporting such breach to the supervisory authority.
This resource is based on a short form in which details are collected that allow the application of basic criteria indicative of the risk associated with the gap. By completing the form, and depending on the information that has been provided, the tool will advise three possible scenarios: that the affected persons should be notified of the security breach when a high risk is perceived; that such communication is not necessary, or that the level of risk cannot be determined.
The GDPR, a comprehensive regulation
According to the CrowdStrike study mentioned above, the entry into force of the European regulation was a real ‘headache’ for one in five companies, but the same number of organizations believe that it was a necessary norm.
A third believe that, thanks to the new regulation, Europeans’ data is better protected and a significant proportion – 58% – affirm that they are now more prepared for cyber intrusion. In fact, up to 28% of organizations confirm that thanks to the application of the regulation they were able to minimize the effects of attacks suffered.
What remains striking, however, is that 8% of companies believe that these regulations do not affect them and two out of ten do not even know if they have to comply with it.
What data are cybercriminals after?
According to Chema Cuadrado, a cybersecurity specialist in HiberusCybercriminals normally try to get hold of data entered by users, email accounts, telephone numbers, credit cards, locations where we move, tastes and hobbies … “Some of these different sections are highly valued in the Dark Web, “he points out.
“To try to live with a little more tranquility, my recommendation is to have common sense, use official applications with a security program and keep the system or devices updated. This basic measure is effective and you put another barrier of difficulty for cybercriminals, “he emphasizes.
Join our newsletter and receive the latest technology news in your email.