Appendix
C. Definitions of causes of corporate data protection malpractices
Category/ Subcategories |
Definition (There are data protection malpractices within organizations BECAUSE they…) |
Inadequate technical measures (IAT) |
|
Inadequate technical safeguards against
cyber intrusion (IAT1) |
Lack sufficient technical safeguards to
protect network from cyberattacks |
Inadequate technical measures to ensure
the security of data storage (IAT2) |
Lack sufficient technical measures to
ensure the integrity and confidentiality of stored personal data |
Inadequate technical measures to ensure
the security of data processing (IAT3) |
Lack sufficient technical measures to
ensure the integrity and confidentiality of personal data during data processing |
Inadequate technical measures to ensure
the security of data transfer (IAT4) |
Lack sufficient technical measures to
ensure the integrity and confidentiality of personal data during data
transfer |
Inadequate technical measures to ensure
the security of data disposal (IAT5) |
Lack sufficient technical measures to
ensure the security of disposed documents that contain personal data |
Intrusive technical measures (ITT) |
|
Intrusive use of surveillance systems
(ITT1) |
Use surveillance systems (e.g., CCTV) in
an intrusive way |
Intrusive use of tracking technologies
(ITT2) |
Use tracking technologies (e.g.,
cookies) in an intrusive way |
Intrusive use of portable data storage
devices (ITT3) |
Use portable data storage devices (e.g.,
USB sticks) in an intrusive way |
Inadequate organizational measures (IAO) |
|
Inadequate identity authentication
(IAO1) |
Lack sufficient authentication
procedures to verify and validate the accuracy of identity of the data
subjects as well as their personal data
|
Poorly designed privacy policy (IAO2) |
Adopt a privacy policy that deviates
from the requirement of data protection regulation |
Inadequate control of access to personal
data (IAO3) |
Lack sufficient control of employees’
access to personal data |
Inadequate supportive resources for data
protection practices (IAO4) |
Fail to provide sufficient resources
(e.g., the appointment of a data protection officer) to support corporate
data protection practices |
Inadequate digital forgetting mechanism
(IAO5) |
Lack or poorly implement digital
forgetting mechanisms which stipulate the data retention period and data
forgetting procedures |
Inadequate internal training (IAO6) |
Fail to conduct sufficient training of
employees regarding compliance with internal guidelines as well as national
regulations for data protection |
Absence of data protection impact
assessment (IAO7) |
Lack assessment of the impact of the
envisaged data processing on the protection of personal data before the
processing in particular when using new technologies |
Absence of regular and extensive
security risk checks (IAO8) |
Lack regular and extensive checks on the
effectiveness of the measures applied to ensure data security |
Inadequate due diligence (IAO9) |
Lack sufficient investigation on the
data security of an organization before entering into an agreement or
contract with it |
Intrusive organizational measures (ITO) |
|
Intrusive data harvesting mechanism
(ITO1) |
Harvest personal data, in particular
sensitive data, as what is unnecessary in relation to the claimed purposes |
Intrusive data processing mechanism
(ITO2) |
Process personal data, in particular sensitive
data, as what is unnecessary in relation to the claimed purposes |
Disregard for its obligations to obtain
informed consent (ITO3) |
Do not comply with the obligations to
obtain informed consent from the data subjects |
Disregard for its obligations to fulfil
the data rights of the data subjects (ITO4) |
Do not comply with the obligations to
fulfil the data rights of the data subjects |
Disregard for its obligations to
cooperate with supervisory authority (ITO5) |
Do not comply with the obligations to
cooperate with supervisory authority |