The Italian Data Protection Authority Published Its Annual Report: In 2019, Public And Private Entities Notified 1443 Data Breaches
Compliance to GDPR by companies and public administration, protection of fundamental rights in the digital world, first sanctions and monitoring interventions, cybersecurity, data breaches, risks related to the use of digital assistants/smart speakers and cyberbullying are the main issues covered by the Italian DPA in 2019 and presented in the annual report.
With specific reference to the report carried out by the Authority on data breaches notified in 2019, the Italian DPA highlights that 1,443 notifications of data breaches were received in one year, involving, as data controllers, public entities (in 27% of cases) and private entities (in the remaining 73%).
The number of notifications made in 2019 is significantly higher than in 2018, when data controllers notified 630 data breaches to the Authority since the 25 May 2018, date on which the GDPR came into force.
As shown by the reports published by the Italian DPA, both in 2018 and 2019 the most frequent types of databreaches concerned:
- cyber attacks aimed at acquiring personal data, such as credentials access, data related to payment instrument, contact details;
- unauthorized access to e-mail accounts (ordinary and certified);
- loss or unavailability of personal data caused by ransomware malware;
- loss or theft of digital devices or paper documents containing personal data;
- accidental disclosure or dissemination of personal data.
The clear increase of the number of data breach notifications recorded in 2019, compared to 2018, underlines a significant higher awareness of public and private entities regarding personal data breaches registered in their organizations.
In its annual report the Italian DPA stressed also that the priority objectives of the investigation activities carried out by its departments following the notification of a data breach have been:
- the assessment of the measures taken by the data controller (or intended to be taken by the controller) to remedy the data breach or to mitigate its possible negative effects on data subjects; and
- the assessment of the opportunity to notify the infringement to the data subjects involved in the data breach, providing them with specific indications on the measures to be taken to protect themselves from any harmful consequences.
In cases where the infringement revealed a possible inadequacy of the measures taken by the data controller, the Authority carried out the inspection activity in order to acquire the elements necessary to identify the organizational and technical weaknesses from which the notified breaches originated. This detailed investigation led the Italian DPA to the adoption of prescriptive and, in the most serious cases, sanctioning collegial measures.
In order to mitigate the risks arising from any kind of data breaches, it is essential that data controllers and data processors:
- draft and provide a policy for the management of data breaches;
- provide specific training on data beach to the personnel;
- draw up and constantly update a record of data breaches.
Article provided by: Chiara Agostini (R&P Legal, Italy)
Dr. Tobias Höllwarth (Managing Director INPLP)