Every January 28th we celebrate Data Protection Day, a date established by the Council of Europe to remind us of the importance of guaranteeing the fundamental right to privacy. For companies and professionals, this day is not just an event on the calendar, but a critical opportunity to assess the robustness of our systems and the security culture of the organization.
In an increasingly complex digital environment, the risk is not if we will suffer an incident, but when it will happen. Recent news constantly reminds us: even corporate giants are vulnerable.
Recently, we have witnessed one of the most media-driven incidents in the energy sector. The hack at Endesa has highlighted how a vulnerability can expose sensitive data of thousands of users (names, IDs, addresses and billing details). This case is a mirror in which many SMEs should look at themselves: if a large corporation with a cybersecurity budget of millions can suffer a breach, no business is exempt from risk.
The Endesa incident teaches us that data protection does not end with formal compliance with the GDPR; it requires constant vigilance and, above all, an immediate action plan when security fails.
Faced with the threat of information theft, prevention and rapid reaction are your best allies. We can identify three fundamental pillars to protect your organization and your customers. First of all, you need to rely on audits and have active protocols, it is not enough to have the documents in a drawer. You need to carry out technical audits and continuous training for employees (the “human factor” is usually the most common gateway for phishing). Furthermore, the provision of encryption and pseudonymization. If the data is correctly encrypted, even in the event of theft, the information will be unreadable and useless to cybercriminals. And in this same vein, promoting a culture of passwords and Double Factor (2FA), is the simplest and most effective barrier against unauthorized access.
What to do if you have already been a victim?
If the situation is unavoidable, it is also necessary to have a reaction planned, that is, a contingency plan. The GDPR is strict here and in the event of a breach that poses a risk, the company has a maximum of 72 hours to notify the Control Authority (AEPD). Having a clear protocol saves penalties and reputational damage.
Finally, if you find yourself in a situation like those affected by the Endesa case, transparency is key. You must communicate clearly with those affected, recommend changing their passwords, and monitor any suspicious movements in their bank accounts.
Let's take this January 28th to remind ourselves that data protection is not a bureaucratic burden, but an investment in the trust of your customers. A company that takes care of data is a company that endures.
Jordi Ventura
