Principle of integrity and confidentiality (security)
Article 5.1.f of the GDPR establishes that:
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Of the different gdpr principles of data protection, integrity and confidentiality (or security) is probably the most significant and the principle that may have a bigger impact on your organisation and data subjects in the event of a breach or non-compliance.
The lack of an appropriate information security framework within the organisation may lead to data breaches that otherwise could have been prevented. Depending on whether the data breach concerns confidentiality, availability or integrity of the information, and the categories of data affected, the impact may be highly severe.
For instance, if an attacker accesses and obtains the personal data a financial entity holds about its customers, these data might be used to commit identity fraud, mortgage fraud, or other frauds of financial nature.
To data subjects, that might result in financial loss, time and stress. To your company, an infringement of the gdpr principles may expose it to administrative fines up to 20 000 000 EUR, or the 4 % of the total worldwide annual turnover, whichever is higher, without prejudice to any other administrative, non-judicial or judicial remedies.
Suffering a personal data breach without having adopted an appropriate information security framework may expose your company to administrative fines up to 20 000 000 EUR, or the 4 % of the total worldwide annual turnover, whichever is higher, without prejudice to any other administrative, non-judicial or judicial remedies.