The GDPR: Is your security of personal data up to par?
Anyone to whom you put the question whether it is important for an organisation to secure its ICT systems will answer this question affirmatively. Nevertheless in this regard things all too often go wrong. This was obviously shown in 2017 when organisations were facing the threat of paralysis because of the attack by WannaCry.
On 25 May 2018 the General Data Protection Regulation (“GDPR”) comes into force. At that moment organisations have had a period of two years to become privacy proof. The GDPR contains rules and regulations in the field of processing personal data. Responsibly dealing with personal data stands and falls with a sufficient security of those personal data. Because, if that security is inadequate a personal data breach could be a result.
Earlier we gave you ten tips to get your organization ready for the GDPR. Below I shall deal with tip 9 in more detail: Is the security of the personal data in your organisation up to par? The controller as well as the processor are responsible for a sound technical and organisational security of systems with which personal data are being processed.
Measures to protect personal data
The GDPR stipulates that an organisation must take appropriate technical and organisational measures to protect the personal data it processes.
Technical measures imply that an organisation must use a modern technique. The use of an outdated or obsolete security technique for that reason renders a system more vulnerable. Adequate organisational measures mean amongst other things that an organisation should have a policy in the field of dealing with personal data. It must for example be clear who have access and to which data.
Before an organisation starts the processing of personal data, thought should be given to the security of those data. But also afterwards the security must continue to be a point of attention. Security of personal data is not a static object with the technological progress.
Data minimisation and accessibility
As an organisation you should ensure that you do not collect and use more data than necessary. Organisations are inclined to collect all kinds of data and to record them, but quite often a major part of those data is not necessary for carrying out specific acts. For that reason it is important that you organise your system in such manner that merely a minimum amount of personal data is asked for and saved. In the unlikely event that something goes wrong the impacts are more limited. In that regard data minimisation is also a form of security.
Apart from that it is important that the access to personal data is limited, because, the more persons have access to the data, the bigger the chance is that there will be abuse or data breaches.
Therefore you should take care that only authorised employees have access. And apart from that it should be taken care of that afterwards it can be checked who has consulted the data and when, i.e., make use of logging.
If you ask for online data of, for example, customers, it is wise that a secure internet connection is used. A secured internet connection can be recognised by the extra ‘s’ in the URL, namely “https//”. A secured internet connection prevents those who are unauthorized from reading along when the data are filled out.
Other possibilities to secure personal data
Apart from the forms of security mentioned above there are more ways to deal safely with personal data, for example by making use of encryption, pseudonymisation, and multi-factor authentication.
Encryption means scrambling files. Briefly this implies that only those who have the key can consult the contents of the file. These persons are often only the sender and the intended receiver(s). Third parties who intercept the scrambled file cannot consult it without a key.
Pseudonymisation means that the identifying data are replaced by other data. It concerns a method to work with personal data without knowing to which persons these data are related. The data can be traced back to the specific individual, but only when additional data are being used. An example of pseudonymysation is assignation of a customer number.
Because pseudonymisation is not irreversible, the GDPR applies here.
This is not the case if data are made anonymous and cannot be traced back to a specific person. If pseudonymisation is used it is of importance that unauthorised persons cannot make the link to the file with additional data.
Multi-factor authentication is a form of access security where a user must identify himself with a minimum of two factors before being allowed access to a computer or application. Common forms of this manner of security are using a users’ name in combination with a password, an external device (such as a telephone, a token or access pass), or of bio-metric data (for example a fingerprint, iris scan or speech recognition).
Privacy by design / privacy by default
The GDPR moreover contains a duty to provide data protection by design and default settings, called ‘privacy by design’ and ‘privacy by default’. The underlying idea is that privacy is taken into account from the beginning of a design process. Beforehand thought must be given to technical and organisational measures that protect personal data. Afterwards you install those measures in processes and systems. In the next blog the privacy by design and the privacy by default will be elaborated on.
Security must be tailored to your specific needs. What your organisation should do and how far you should go is dependent on the nature of your organization and of the question which data you process and for which reason.
Therefore it is advisable that you seek detailed information in the field of security from specialists. Apart from that it is important that you record your considerations when deciding whether or not to apply specific methods of security. Should it then go wrong at a certain stage you will be able to show to the Dutch Data Protection Authority that you did actually think about the measures taken and that you took a well-reflected decision. The latter is of importance within the scope of the accountability imposed by the GDPR.
Are you working on a project where personal data are going to be processed and do you wish to know which measures you should take? Then contact PlasBossinade.