Malicious Insiders’ Threats to the Personal Data Security. The Hard to Comply Rules of the GDPR

According to the last reports covering cybersecurity issues, the attacks initiated by malicious insiders were the costliest and the longest to resolve, even though they constitute a clear minority of all data breaches. They pose significant problems in complying with the rules on personal data prote...

Full description

Saved in:
Bibliographic Details
Published inGlobal privacy law review Vol. 5; no. Issue 4; pp. 154 - 163
Main Author Sowa, Tomasz
Format Journal Article
LanguageEnglish
Published Madrid Aspen Publishers, Inc 01.11.2024
Subjects
Data integrity
General Data Protection Regulation
Personal information
Online AccessGet full text

Cover

More Information
Summary:According to the last reports covering cybersecurity issues, the attacks initiated by malicious insiders were the costliest and the longest to resolve, even though they constitute a clear minority of all data breaches. They pose significant problems in complying with the rules on personal data protection, too. The General Data Protection Regulation (GDPR) does not differentiate the personal data breaches by the source, be it internal or external. Thus, in theory, the obligations of data controllers in the aftermath of personal data breaches caused by malicious insiders and outsiders are the same. However, the breaches caused by malicious insiders are much harder to identify, causing severe problems under the GDPR regarding the distinction between breaches of security and personal data breaches, affecting the notification obligations to data protection authorities and data subjects. This article shows that malicious insider threats are hard to appropriately address under the GDPR, which may expose, on the one hand, controllers and processors to the risk of non-compliance, potentially triggering civil liability and administrative fines, and on the other hand, the data subjects to a high risk to their rights and freedoms they will never be aware of unless such risk materializes and affects them directly. Thus, the author supports the notions for legislation changes that may help to fill the existing gap, provided that they are to be followed by comprehensive amendments regarding the content of notifications of the data subjects and investigation obligations following the information about a possible breach.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:2666-3570
2666-3570
2666-3589
DOI:10.54648/GPLR2025001