As reported on November 22, 2018, A German social media platform called Knuddels.de has been fined €20,000 ($22,735 USD) following a breach that exposed the personal information of 330,000 users, including their passwords and e-mail addresses, according to a statement (in German) by the regional Baden-Württemberg data protection watchdog (LfDI Baden-Württemberg). The chat/flirt/social media site, which is one of the country’s largest chat platforms, notified the authorities in September after it learned that 1.87 million username/password combinations and over 800,000 e-mail addresses were dumped on Mega.nz and Pastebin.com.
Knuddels.de stated on their site that they had verified 330,000 emails belonged to unique users. In some cases, the users’ real names and home addresses were also leaked in the attack that was found to have taken place in July. During the investigation it was identified that Knuddels.de stored user passwords in clear text. By storing user passwords in clear text, the company, knowingly or not, violated its duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a).
In our previous blog we emphasized the importance of ‘Design’, as we continue with this week’s blog, Design is still relevant to the discussion and is one of the most important considerations we all should have of organizations who hold and process our personal information. When reengineering a legacy system, like what Knuddels.de has done (ouch), Solution Architects and Software Engineers must be able to identify where personal information resides in the database(s). Systems design documentation and data maps are more than merely artifacts used to check a box for regulatory compliance, they drive important data processing decisions, and serve to identify poor design decisions - like storing user passwords in clear text.
GDPR is first of all demanding due to its detailed transparency requirements. Any organization as well as other bodies that process personal information, are also to a large extent required to document the processing, ensure the lawfulness of processing, document the existence of sufficient procedures, provide information on security measures and to ensure that sufficient data processing agreements are in place. The importance of systems design and documentation are critical to understanding the data an organization stores, where it is located and the processing the data is subjected to.
Let’s expand upon the importance of design further and flush-out more details in some key areas of compliance.
Data mapping is the process of creating a visual representation of all of the data an organization collects and stores, providing for insights into the potential risks associated with specific data definitions such as personally identifiable information, email addresses and passwords. As an integral part of systems design, and as required to satisfy GDPR compliance, data mapping provides a documented means for organizations to understand what data is being collected, the origination of the data, where it is being stored and the conditions in which it is stored (the ‘why’). When not taken into consideration during design, data mapping can be a challenging process for organizations to retrofit within legacy platforms. Data mapping can help organizations meet aspects of GDPR compliance by identifying and addressing any potential privacy issues and risks towards the confidentiality, integrity and availability of stored data.
The purpose of the Data Breach/Incident Response Plan is to prevent and/or minimize a serious loss of Profits, Customer Confidence or Information Assets by providing an immediate and effective response to any unexpected event involving Computer Information Systems, Networks or Databases.
In the event of a Privacy or Security incident, the goals of Blueberry, Inc’s Incident Response Team are to:
Prior to GDPR, a DSAR was typically associated with employees requesting what personal information their employer held about them, how this information was being used, if their personal information left the organization, and if it did, for what purpose. Now, as defined in GDPR Article 15, if you wish to gain access to the personal information an organization holds about you as an individual, you only need to complete a Data Subject Access Request form. As you recall in our last blog, Mr. Schrems, an attorney in Europe, submitted a Data Subject Access Request to Facebook and he received a 1,200 page PDF representing three years of casual usage!
Upon receipt of your DSAR form (available with the platform launch in January 2019) and the appropriate supporting documents, our Data Protection Officer will review your request and notify you of the latest date by which we aim to provide this information. When we have collated the data, we will send you a copy of your details according to the medium you selected on the DSAR form. The ability to execute your DSAR with a high degree of confidence and accuracy is the product of having a comprehensive and maintained Data Map.
Want to learn more about GDPR? Read our other blogs on the subject.
Unlike other providers, we don't require you to pay a fee to create an agency account. Sign up for FREE today!
Create your agency account.
Respond to the set up email.
Start designing websites.