What are personal data and why they’re important
In a hyper-connected society like the one we live in, users and services providers share more and more information on a daily basis and, clearly, the diffusion and massive use of sophisticated technologies added the need of considering new personal data to the traditional ones that must be handled. Such data relate to the Internet browsing, electronic communications, the use of smartphones apps, or geolocationing. Hence, the protection of personal data is now a crucial priority in terms of privacy requiring the adoption of fine measures to guarantee fundamental rights and freedoms.
But anyway, what are personal data? A clear and simple definition of personal data is given within Article 4 (1) of the GDPR, describing them as “any information relating to an identified or identifiable natural person (or ‘data subject’) […] who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Nowadays personal data have become extremely important as they’re used as precious resources to access and use effectively many IT services and applications. Indeed, this represents a comfortable way to save time and make daily operations quick, but it also exposes users to serious cyber risk like data breaches and identity thefts.
Some personal data are particularly important for GDPR (EU Reg. 2016/679), such as:
- direct identification data, like complete names (first and last name) or biometrics;
- indirect identification data, like IP addresses, mobile numbers or serial codes;
- sensitive data, which reveal specific categories of information like ethnic origins, religious beliefs, political opinions, health information, sexual orientation, etc.;
- judicial data, which verify the existence of certain judicial measures subject to registration in the criminal record, such as final criminal conviction measures and alternative measures to detention.
Personal data and privacy: why should we protect them?
Companies operating online and users must be aware of the risks related with fails on the subject of personal data protection and should consider to implement proper measures to prevent data violation, theft and abuse, in order to increase the digital trust.
Why should we protect personal data and privacy with the best solutions available? Here are some key reasons that make data privacy a primary cyber security issue:
- prevention of identity theft, as malicious people could breach through systems, steal personal information and exploit them for IT crimes, from the unauthorized access to personal bank and online accounts up to the whole corporate insider threats panorama faking to be a business manager running a key role;
- financial security, as personal banking information, such as credit card numbers, passwords and other identification methods, are particularly sensitive and so yearned by cyber criminals for unauthorized transactions and financial fraud;
- reputation protection, as the disclosure of personal information can have serious consequences in terms of privacy, reputation and damage to personal image, for both individuals and companies;
- fulfillment of regulatory obligations, as failing at complying to adequate rulings and laws on the subject of personal data protection and privacy can result in significant legal sanctions and fines.
What does Version 2.0 of the EDPB Guidelines say?
The European Data Protection Board (EDPB) is an independent European body whose purpose is to ensure consistent application of GDPR and foster cooperation between EU data protection authorities. In fact, it includes the national supervisory authorities of the countries of the European Economic Area, as well as the European Data Protection Supervisor (EDPS).
In the Version 2.0 of Guidelines 9/2022, regarding the management and notification of personal data breaches, the EDPB made clear that while it’s responsibility of data controllers and processors to implement measures to prevent, respond and deal with potential breaches, there are still practical actions that should be taken everytime a risk occurs (e.g. an incident response plan). First of all, information about all security-related events must be communicated to who’s responsible for addressing incidents, establishing the actual existence of a breach and assessing the risk (no risk, risk or high risk), before informing the target subject of the breach (usually an organisation) on what happened and what’s affected by the attack; later, a notification to the supervisory authority and, potentially, communication of the breach to the individual data subjects must be carried out, if necessary; at the same time, the controller must act to contain and recover the breach, providing proper documentation as it develops.
Therefore, it’s clear that the data controller must act on any initial report in order to establish whether a breach has actually occurred or not. If there’s a reasonable certainty of a real violation occurring, all necessary measures must be taken to tackle the attack, solve it and mitigate damages; after danger has extinguished, must notify the event to the supervisory authority without delay. Indeed, if a controller doesn’t act timely as it becomes apparent that a breach has occurred, this could be regarded as a failed notification according to GDPR’s Article 33 and, of course, it would cause severe consequences for the controller.