Affected persons want to know how to deal with the consequences of personal data breach

Only one in three Poles is aware who, in the event of a data leakage, should handle the process of neutralizing its negative effects. Respondents who declared that they were aware of who should handle the issue most often indicated law enforcement agencies (69 percent of indications) and the company or institution that processed the personal data (60 percent).

Further down the list of entities that, according to respondents, should face the consequences of a data leakage were the  Personal Data Protection Office (more than 56 percent) and the data protection officer from the institution where the breach occurred (more than 44 percent). However, almost 35 percent of answers in which respondents felt that the consequences of the leakage should be dealt with by the affected persons themselves should be considered worrying. This may indicate that a sizable group of people may feel left alone in such a situation.

The controller shall implement technical and organisational measures to ensure an adequate level of protection. Pursuant to Article 24 of the GDPR, the controller is obliged to take into account: the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons , the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with GDPR. Thus, the controller should proactively and at every stage of processing take care of data protection. It should be remembered that it is the controller who is primarily responsible for non-compliance with the GDPR provisions, especially when a personal data breach occurs, e.g. in the form of a data leakage - says Jacek Młotkiewicz, Director of the Inspections and Breaches Department of Personal Data Protection Office.

Affected Persons expect information about the leakage

Those who have been affected by data leakage expect first and foremost to be informed as soon as possible that there has been personal data breach and its extent (about 60 percent of indications). In addition, they would appreciate information of the measures taken by controllers to prevent occurring similar situations in the future (nearly 57 percent), as well as information on to whom the leaked data may have gone (more than 53 percent).

More than half of respondents also expect legal support (53 percent) or to cover its costs and expenses that will be associated with the consequences of the breach (52 percent). Respondents would also like to know from the controller what the consequences of such a situation might be and what they should do to minimize the effects of a leakage (more than 44 percent). Nearly 40 percent of respondents believe that the person responsible for the leak of personal data should give the affected persons financial compensation for their losses or a discount on their own services.

- In such situations, response time is of paramount importance. The whole issue is made more difficult by the fact that the security of databases, depends not only on us, but on the entities that manage them. Therefore, it is also important to know whom to contact in such case and what action to take. For example, if among the leaked information there is also personal data, such as your personal identification number (PESEL), you should check as soon as possible whether someone has already tried to use it. It is also worth thinking about starting monitoring the credit activity of our personal identification number (PESEL), thanks to this we will prove if in the future someone wants to obtain a loan or other financial obligation with using our PESEL number - says Bartlomiej Drozd, expert of the

Employees need training on data security

The majority of employed participants in the survey (nearly 69 percent) answered in the affirmative when asked whether they were aware of data protection procedures at their place of employment. The fact that the percentage of those who do not know that exceeds 30 percent, however, should be considered a worrying sign. It looks even worse if we ask employees whether they know how their employer secures their personal data. This is because only just over half of them (51 percent) answered in the affirmative.

This state of declared knowledge is not necessarily due solely to omissions on the part of the employer. However, it is difficult to remain optimistic if nearly two-thirds of those surveyed assure that trainings on personal data security are not organised regularly.

The survey, commissioned by and the Krajowy Rejestr Długów BIG S.A. under the auspices of the Personal Data Protection Office, was conducted in the first half of 2022 using the CAWI method on a representative group of 1010 respondents by IMAS International.