The GDPR requires that “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk … account shall be taken in particular of the risks that are presented by processing … which could lead to physical, material or non-material damage.”
It helpfully spells out what processing may present risk of damage, which includes, processing that may lead to discrimination, identity fraud, professional secrecy; processing where data subjects may be deprived of their rights or control over their data; processing that may lead to disclosure of racial, religious, genetic and other special categories data; evaluation of personal aspects, such as work performance, health, reliability or economic situation; processing of vulnerable persons’ data and processing on a large scale. In summary, risk of damage may result from much of the processing that could take place in a corporate environment and risk of non-material damage may not be dismissed as negligible.
Steps You Should Take
IT departments want to know what are the specific things which they must implement in their organisation? Unfortunately, the answer is often vague, as in “Carry out a privacy assessment, consider the risks and implement appropriate measures.” But let’s try and decipher what this means.
A detailed and objective privacy impact assessment sets out the type of personal data being processed and the intended processing operations and evaluates the risks in the categories mentioned in the above. It is important to note that this exercise is intended for personal data rather than data in general. Because data security has been elevated to a management issue, rather than a matter simply for the IT department, this assessment should be led by the compliance function (or the Data Protection Officer, if you have one) and should involve senior stakeholders from all departments, including, IT, HR, finance, legal, marketing and sales. You may wish to seek help from external advisers to guide you through the various stages of the assessment and to reach objective conclusions.
Based on the results of your risk assessment, select appropriate technical and organisational controls and make sure your stakeholders agree they will be effective and can be implemented within the appropriate timescale. The level of risk should dictate the potential investment in mitigation against the risk. The GDPR says, the measures may include, pseudonymisation, encryption, measures ensuring on-going confidentiality, integrity, availability and resilience of systems and measures for monitoring, testing and evaluation of their effectiveness, plus an incident response plan which includes a backup and recovery strategy. If you need to, you can seek external help, perhaps from penetration testers who can accurately determine and assess the security vulnerabilities of your systems. Penetration testers can usually provide a range of services, from a simple vulnerability scan to a full “Red Team Exercise” where they will act as malicious attackers.
If you genuinely feel that some of the measures should but cannot be implemented in your organisation to mitigate any proposed high risk processing, then consult your data protection authority (ICO in the UK) and do not start processing before you have done so.
As well as technical controls, you also need to introduce appropriate organisational measures into your business operations. Depending on your starting point, his step can take months of preparation, communications and awareness raising, culminating in the launch of the measures and the publication of easy-to-follow policies which tell your employees what they need to know in order to make the measures work.
Technical and Organisational Measures Under the GDPR
Please note that the list below is based on assumptions and is intended for guidance only. It should not be relied on without carrying out a privacy impact assessment and obtaining security and legal advice. The GDPR does not specifically mention these measures, they are derived from commonly adopted security measures and trends in enforcement action by data protection regulators. It is also important to mention that the requirements set out below are not necessarily new to GDPR and will to a large extent also likely apply under the current legislation.
Firewalls: If your systems are connected to the internet, which is likely in the 21st century, you should have Firewalls which are properly configured and reviewed regularly.
User Access Control: Access to personal data should be restricted. This is typically implemented through user accounts. Please note, that in order to comply, there should be no one person in your organisation with full access to all files and even your network administrator should have restricted access. It is recommended that the network administrator’s ‘normal’ user account and his/her account with administrator privileges should be separated and only used when appropriate. This makes auditing and control of administrator actions much simpler.
Passwords: Unique passwords of sufficient complexity and regular expiry on all devices to defend against dictionary and rainbow table attacks. The use of two factor authentication is also becoming more common on sensitive systems and should be used if available.
Patching: Regular software updates should be applied, if appropriate, by using patch management software.
Secure Decommissioning: Timely decommissioning and secure wiping (that renders data unrecoverable) of old software and hardware. Data should not be recoverable from old devices.
Anti-Virus: Real-time protection anti-virus, anti-malware and anti-spyware software should be installed on systems.
Encryption: Use of encryption may include encrypted data storage devices, use of VPN and email encryption. Encryption of personal data in transit by using suitable encryption solutions should be mandated. If your organisation processes minimal amounts of personal data, encryption will not strictly be a legal requirement and organisations may achieve appropriate levels of security and comply with the law by other means.
Secure Configuration: All devices including servers, PCs, laptops and mobile phones should be securely configured (hardened) before being used to process any data.
IDS/IPS: Put in place intrusion detection and prevention systems
Data backup: Data should be backed up appropriately for your required recovery timescales. Backups should be protected and tested.
Training: Vet and train staff, contractors, vendors and suppliers on continuous basis, as individuals are often the weakest link. Provide training to staff on data processing obligations, identification of breaches and risks. Even with state of art security software you may not be able to prevent some breaches without having appropriately trained staff.
Contracts: Insist on non-disclosure agreements prior to entering into formalised agreements and make sure security requirements are clearly stated in contracts with suppliers and partners.
Physical Security: Ensure physical security for buildings, offices, equipment and physical documents. This should include clear desk and screen policies, and secure disposal policies.
BYOD: If you allow use of personal devices for work you will need a policy and controls for those devices.
Other commonly adopted security practices:-
2FA: Consider multi-factor authentication, especially for remote access. The second authentication can be a fob plugged which the user carried or more commonly these days through the presence of a corporate mobile phone.
WiFi: Generally, any WiFi access to the corporate network should use a strong authentication method that grants access only to authenticated users. Keep Wi-Fi passcode confidential and change it regularly to prevent creation of “evil twin” Wi-Fi access points.
Web Filtering: Implement delinquent web filtering to prevent access to hazardous URLs.
ISO 27001: We would recommend that businesses processing personal data, implement and certify against the ISO 27001 standard. SMEs should comply with at least the standards advocated for by the UK Government’s Cyber Essentials Scheme, ideally the “Plus” version, which includes external testing. However, SMEs that regularly deal with larger clients may well have to take the ISO route in order to remain competitive and satisfy their clients’ needs.
Finally, every organisation should consider taking out a cyber-security insurance policy. Insurers will demand a certain standard of security and may be unable to quote if the responses to their questionnaires show gaps in your security framework. A £5 million indemnity limit is common and it is yet to be seen if the insurance industry increases it to cover the potential €20 million fines, which data protection regulators will be able to impose from 2018. It is also worth noting that even if a policy is approved, it may not pay out if an incident was caused by failed controls, such as, an unpatched firewall. Be vigilant.