What is a data breach anyway?
According to the GDPR, “breach of personal data protection” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Breach is not the end of the world, it just happens. For instance, in 2020, 7,507 breaches were reported to the President of the Personal Data Protection Office, which most often involved sending correspondence containing personal data to the wrong recipient, disclosing data to the wrong person, e.g. by issuing documents to the wrong person or unauthorised access to information due to a programming error. Remember: personal data include all information about an identified or identifiable natural person, not only name, surname and PESEL number. It is also, for example, data on the location of a person or the history of websites visited by them.
When you suspect a breach but do not know what to do
It might happen that you work in a small organisation that has not yet practised data protection procedures, or does not have one in place at all. Still, no need to be worried. You need to find out if you have a data protection officer in your organisation and contact them – they will certainly take care of the matter. If there is no such person or any other designated data protection officer, report the matter to your immediate supervisor, company lawyer and IT specialist. Inform them of all the circumstances of the incident, even those that you are not 100% sure are relevant to the investigation. If none of the above people reacts to your information – take courage and contact top management. Bear in mind, you are acting in the interest of the entire company!
Secure the evidence you can collect
If something strange happens on your computer screen, e.g. you suddenly lose access to some data or you have access to too much data, you can see documents in the recycle bin (maybe it is not a breach yet, but it is close to it) or you see a mysterious participant on the videoconference, try to keep the evidence, e.g. photos, screenshots, to pass it on to the investigators.
At the same time, think twice before sharing the data you process at work with anyone outside your organisation. If you have not done it before, make sure you can and ask your supervisor. An important person you do not know is calling from your company’s parent company, asking for the telephone number of the sales director? Do not give it right away, ask for patience, tell them that you are gonna call back in a moment and pass this request to your supervisor. Who knows, maybe it was the ex-wife of the sales director calling to confirm their promotion and demand them to pay higher alimony? You never know :)
