Read also: Old system went online — no one noticed
The Spanish e-commerce company that received a €1,090,000 fine didn't just have a security problem. They had an ownership problem. The old system remained connected without anyone updating it, monitoring it, or knowing it was still accessible from the internet.
When no one owns a system, no one owns the risk either. No one checks if the software is updated. No one logs who connects. No one asks the question — do we still need this?
Treatment protocol (RoPA) must contain an overview of the systems that process personal data. However, in many companies, it is only updated when new systems are added—not when old systems should have been removed.
**Practical point:**
Every system that processes personal data needs an owner—a person responsible for updates, access, and decommissioning. Review the processing record. Are there systems listed there without a named responsible party? Then you have found the risk.
Inspired by: AEPD (Spain) via TechLaw.se