In the past years, security, and compliance with the GDPR came in to focus of IT. In this
regard, we would like to present our new service portfolio supporting developments,
which has recently included support for data protection and security considerations in the
code of user systems.

​

We are convinced that there is still much to be done in this area. Among other things, the
compliance of the software code of the application systems with regard to security and
data protection requirements is not the focus of attention at an adequate level. The lack
of this is shown by the few spectacular negative examples when confidential information
falls into unauthorized hands through software vulnerabilities. Everyone is interested in
the security of the operation, but few people think about how many ticking data security
bombs are hidden in the software code of inadequate quality, which even careful
operation will not be able to prevent.

​

The data protection and security competence newly added to the development
supporting portfolio of Spirity Enterprise Zrt. tries to reduce this gap. Our experts with
technical and legal qualifications with international IAPP certification can help you. If it is
necessary to review the processes envisioned in connection with GDPR preparation,
such processes need to be created anew, or advice is generally needed on security
issues arising around the development, we are happy to be available.

While many believe GDPR raised the bar for privacy and introduced only administrative
requirements, the regulation uses the words data protection, and for a good reason.
Since May 2018, there have been multiple enforcement actions by Supervisory
Authorities, significant part of which dealt with IT security. GDPR requires companies to
assess the risk of personal data held and adopt proportionate security measures. Some
of the enforcement actions allow us to understand, what Supervisory Authorities did
consider appropriate measures for the protection of personal data and which should be
considered by companies.

​

SECURITY POLICIES

Bulgarian Supervisory Authority fined the National Revenue Agency EUR 2.6 million for
inadequate technical and organizational security measures. It ordered the agency to
introduce comprehensive risk analysis of systems and processes within 6 months. The
UK Information Commissioner set out a fine of EUR 204 million to Marriott for failing to
undertake sufficient security due diligence.

​

SECURITY ADMINISTRATION

In Poland, the operator of Morele.net has been fined EUR 640.000 for not implementing
adequately strong authentication methods to systems containing personal data. Italian
Supervisory Authority fined the IT infrastructure operator Rousseau Association EUR
50.000 for not implementing security logs of high privilege actions in databases.

​

GDPR (Art.32):

“Taking into account the state of the art, the costs of implementation and the nature,
scope, context and purposes of processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons, the controller and the processor
shall implement appropriate technical and organizational measures to ensure a level of
security appropriate to the risk.”

European Data Protection Board guideline on privacy by design and default:
“a responsibility on the controllers to continually assess... whether the chosen measures
actually counter the existing vulnerabilities. Furthermore, it should be understood that
controllers must conduct regular reviews of the information security measures that
surround and protect the personal data, and the procedure for handling data breaches.”

​