GDPR fine following cyber attack: what happened and what does it mean for you?
A storage company in Romania has been fined for failing to sufficiently protect its customers’ personal data.
The National Authority for Data Protection (ANSPDCP) has fined a company 24,884.50 lei (equivalent to 5,000 EURO) for failing to implement adequate security measures to protect customers’ personal data.
What happened?
The company was the victim of a cyber-attack which resulted in unauthorized access to customers’ personal data and the unavailability of this data for a period of several weeks.
Why was the company fined?
The ANSPDCP found that the company in question did not implement adequate technical and organizational measures to prevent such an incident.
What does this mean for you?
It’s important to choose companies that take your data security seriously. EURO MINI STORAGE ROMANIA SRL has been fined for not doing enough to protect you.
Appropriate technical and organizational measures recommended for GDPR compliance
Technical measures:
- Data encryption: Ensure encryption of personal data, both at rest and in transit.
- Access control: Implement an access control system restricting access to personal data to authorized persons only.
- Network security: Implement network security measures such as firewalls and intrusion detection systems.
- Security Software: Using up-to-date security software such as anti-virus and anti-malware.
- Backup, recovery and testing: Implement a backup and recovery plan to ensure data availability in the event of a security incident.
- Vulnerability management
- Risk management
Organizational measures:
- Security policies: Implement security policies that define procedures to manage personal data.
- Training: Train staff on GDPR obligations and how to manage personal data securely.
- Awareness: Raising awareness of data security risks among staff.
- Incident management: Implement an incident management plan to respond to data security incidents.
- DPO: Appoint a DPO to ensure GDPR compliance.
Additional recommendations:
- Conduct regular security audits to identify and remediate vulnerabilities.
- Use data analytics tools to monitor and detect suspicious activity.
- Maintain up-to-date data protection documentation.
Resources:
- General Data Protection Regulation (GDPR): https://eur-lex.europa.eu/legal-content/RO/TXT/?uri=CELEX:32016R0679
- National Authority for the Supervision of Personal Data Processing (ANSPDCP) GDPR Guide: https://www.dataprotection.ro/
- Read more about GDPR: https://www.dataprotection.ro/
- Learn how to protect yourself online: https://www.cert.ro/
Conclusion:
This fine is an important reminder to companies that they need to take customer data security seriously. It is also a reminder for all of us to be careful about what personal information we share online.