After the disclosure of the security vulnerability in the open source software log4j and its classification by the German Federal Office for Information Security (BSI) as extremely critical, many companies are in an uproar. Possible compromises can have far-reaching consequences, also in the area of data protection.
Due to the high number of software products, IT systems and services known to be affected so far, there is an acute risk of a breach of the protection of personal data processed by means of them through unauthorised access, manipulation or data theft. Such a breach usually also leads to a reportable data breach within the meaning of the GDPR.
As a consequence, it may be necessary to inform the competent data protection authority about the data breach; this notification must be made within 72 hours. In addition, it may also be necessary to notify data subjects personally or publicly. Violations of these reporting and notification obligations may result in heavy fines, this also applies to late reporting.
As the data protection officer of a company, you should track the data protection risks that arise in close coordination with your IT or information security department. It is important to recognise the need for action (“What is potentially insecure?”), to identify the affected data (“What data is threatened?”) and to limit possible risks by taking appropriate measures (“What can we do to solve the problem?”). Only in this way do you have a chance to identify potential data mishaps at an early stage or avoid them altogether and take the necessary steps, while at the same time having the opportunity to ensure adequate technical data protection.