[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuzE3Dtj_lN6JW-IWSkDfpMNOSmY59D9l1ERKLxWJ3Gw":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":7,"wordCount":8,"readTime":9,"title":10,"nbDownloads":11,"excerpt":7,"lang":12,"url":13,"intro":14,"featured":4,"state":15,"author":16,"authorId":17,"datePublication":23,"dateCreation":24,"dateUpdate":25,"mainCategory":26,"categories":42,"metaDatas":48,"imageUrl":49,"imageThumbUrls":50,"id":58},true,"## What the GDPR says\r\n \r\nThe GDPR imposes a general obligation of security of personal data. This obligation stems from Article 5 1. f) and Article 32.\r\n \r\n**Article 5 1. f)**\r\n\r\n> Personal data must be [...] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).\r\n\r\n**Article 32**\r\n\r\n> Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:  \r\n>  (a) | the pseudonymisation and encryption of personal data;  \r\n>  (b) | the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;  \r\n>  (c) | the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;  \r\n>  (d) | a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.\r\n\r\nIn France, the Data Protection Act also recalls this requirement in its article 4.\r\n \r\nThus, each processing operation must be subject to a set of security measures decided according to the context. **These obligations are therefore always adapted to the particularities of the processing and to the risks that it presents for the rights and freedoms of the data subjects**.\r\n \r\nArticle 32 intends to remind that all these security measures taken can reduce the risks for individuals. They thus preserve:\r\n \r\n▶ **The rights and freedoms of individuals**,\r\n \r\nbut also  \r\n ▶ **The organization's information assets**,  \r\n ▶ **The organization's reputation**.\r\n \r\nWhile risks to people are rapidly changing (change in nature, different probability and severity, etc) security measures must be integrated in order to reduce the risks to people including over time.\r\n\r\n> NB: since security is a continuous process, it is advisable to update and control the installed procedures regularly\\*\\*.\r\n\r\nLet's go a step further and find out what Article 32.1 of the GDPR tells us:\r\n\r\n> \"**The controller and the processor are obliged** to implement the appropriate **technical, organizational** measures to ensure a level of security **adapted to the risks**, and in particular: pseudonymization and encryption of personal data, means to ensure the confidentiality, integrity, availability, constant resilience of the processing systems and services, means to restore the availability of and access to personal data within appropriate timeframes in the event of a physical or technical incident, a procedure to test, analyze, regularly evaluate the effectiveness of technical and organizational measures to ensure the security of the processing. \"\r\n\r\nThus, through the **extension of responsibility by the GDPR**, **these security obligations fall on the controller but also the processor**. Finally, these measures protect individuals, but also their data: we are talking about **integrity, confidentiality and availability** of data.\r\n \r\n## Reduce the risks\r\n \r\nThe obligation of security must be **understood in a global manner**, from the angle of 3 principles allowing to reduce the risks:\r\n \r\n▶ Principle of **confidentiality**\r\n \r\n▶ Principle of **integrity**\r\n \r\n▶ Principle of **availability**\r\n \r\nEach principle will prevent a multitude of risks. For example:\r\n \r\n- Unauthorized access for data confidentiality,\r\n- Unauthorized modifications for data integrity,\r\n- Data inaccessibility for data availability.\r\n\r\n**The sources of these risks can be multiple, and are calculated according to the probability of the risk occurring and the impact it could have if the risk became a reality**.\r\n\r\n> Examples of risks\\*\\* :\r\n> \r\n> \r\n> Risks can be **internal** or **external**.  \r\n>  Stakeholders\\*\\* (employees, visitors, competitors) by mishandling data can accidentally or deliberately increase the risk of leakage, theft, loss, etc,  \r\n>  The risk can come from malicious attacks\\*\\*, organized crime or others,  \r\n>  The risk can also come from **failures**, disasters, incidents, voluntary actions...\r\n\r\nIn short, **every data processing operation can easily be subject to security risks** which justifies the **implementation of security measures.**\r\n \r\n## Security measures\r\n \r\nSome examples of security measures are suggested by the GDPR but not mandated:\r\n \r\n▶ The **encryption** of data: only the sender and the recipient can access the content. Once encrypted, one must have the specific key, otherwise the message is inaccessible and unreadable.\r\n \r\n▶ The **pseudonymization**: replace an identifier, or more generally personal data, by a pseudonym. It is still possible to re-identify the person by combining the pseudonym with other information (thus different from anonymization).\r\n \r\nThe organization is thus obliged to take measures. There are 3 types of measures:\r\n \r\n▶ **physical** or \"physical\" measures: locking doors, etc. ;\r\n \r\n▶ **logical** or \"software\" measures: antivirus, password ;\r\n \r\n▶ **organizational** measures: procedure, security governance.\r\n \r\n### Physical measures\r\n \r\nThis involves facilitating access to the premises, while guaranteeing data security.\r\n\r\n> **Examples of measures** :\r\n> \r\n> \r\n> Installing anti-intrusion alarms, with verification  \r\n>  Distinguish building zones according to risks, for example rooms housing servers,  \r\n>  Physically protect computer equipment,  \r\n>  Install locks in each office,  \r\n>  Install locks in each office, etc.\r\n\r\n### Logical measures\r\n \r\n▶ Adopt a strict password policy for workstation access.\r\n\r\n> **Examples**:  \r\n>  Unique user IDs per user and prohibit shared accounts.  \r\n>  Require strong passwords  \r\n>  Temporarily block account access after multiple failed authentications.\r\n\r\n▶ Secure workstations.\r\n\r\n> **Examples**:  \r\n>  Automatically lock down workstations after a short period of inactivity.  \r\n>  Control the use of USB ports on sensitive workstations.\r\n\r\n▶ Trace access to the active database and the various archives.\r\n\r\n> **Examples** :  \r\n>  Make actors responsible by creating a procedure for tracing actions on files.  \r\n>  Regular control of traces via automated detection of suspicious actions.\r\n\r\n▶ Protect the internal computer network and servers from external attacks.\r\n\r\n> **Examples**:  \r\n>  Regularly updated firewalls and antivirus software.  \r\n>  Secure channels and authentication systems for remote connections  \r\n>  Limit access to administrative tools and interfaces to authorized personnel only.\r\n\r\n▶ Anticipate the risk of data loss or disclosure.\r\n\r\n> **Examples**:  \r\n>  Perform regular backups and store them at a separate site.  \r\n>  Protect logging equipment and logged information.  \r\n>  Systematically encrypt data stored on mobile devices (USB keys, smartphones, computers, etc.)\r\n\r\n### Organizational measures\r\n \r\nThese are complementary to the physical or logical measures, and structure and create the procedures for the application of the chosen security measures.\r\n \r\n▶ Data access control policy.\r\n\r\n> **Examples**:  \r\n>  Define procedures to be followed for each movement of personnel (arrival, departure, or change of assignment).  \r\n>  Conduct regular reviews of the rights granted to users  \r\n>  Provide for checks to be carried out in the event of a request from a third party to transmit data (e.g. police services, etc.).\r\n\r\n▶ Make users aware of the conditions of data use.\r\n\r\n> **Examples**:  \r\n>  Distribute and have each user sign a computer charter, which reminds them of the conditions of use of computer equipment and personal data.  \r\n>  Regularly make users aware of internal and criminal rules, and of existing threats (breaches, cyber-manipulation, etc.).  \r\n>  Document data exploitation procedures, update them and make them available to users.\r\n\r\n▶ Define a policy for managing incidents involving personal data.\r\n\r\n> **Examples**:  \r\n>  Establish a procedure in case of theft/loss of personal data (people to notify, filing a complaint, etc).  \r\n>  Provide for the referent(s) to be notified in the event of a breach of data integrity, confidentiality, and availability.\r\n\r\n▶ Provide for regular audits of procedures and processing.\r\n\r\n> **Examples**:  \r\n>  Identify relevant processing for regular internal or external audit,  \r\n>  Establish a follow-up of the implementation of the measures recommended following the audits,  \r\n>  Establish criteria for reviewing risk analyses (deadlines, technological advances, publicized flaws, etc.).","\u003Ch2 id=\"what-the-gdpr-says\">What the GDPR says\u003C/h2>\r\n\u003Cp>The GDPR imposes a general obligation of security of personal data. This obligation stems from Article 5 1. f) and Article 32.\u003C/p>\r\n\u003Cp>\u003Cstrong>Article 5 1. f)\u003C/strong>\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>Personal data must be [...] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>\u003Cstrong>Article 32\u003C/strong>\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:\u003Cbr />\r\n(a) | the pseudonymisation and encryption of personal data;\u003Cbr />\r\n(b) | the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;\u003Cbr />\r\n(c) | the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;\u003Cbr />\r\n(d) | a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>In France, the Data Protection Act also recalls this requirement in its article 4.\u003C/p>\r\n\u003Cp>Thus, each processing operation must be subject to a set of security measures decided according to the context. \u003Cstrong>These obligations are therefore always adapted to the particularities of the processing and to the risks that it presents for the rights and freedoms of the data subjects\u003C/strong>.\u003C/p>\r\n\u003Cp>Article 32 intends to remind that all these security measures taken can reduce the risks for individuals. They thus preserve:\u003C/p>\r\n\u003Cp>▶ \u003Cstrong>The rights and freedoms of individuals\u003C/strong>,\u003C/p>\r\n\u003Cp>but also\u003Cbr />\r\n▶ \u003Cstrong>The organization's information assets\u003C/strong>,\u003Cbr />\r\n▶ \u003Cstrong>The organization's reputation\u003C/strong>.\u003C/p>\r\n\u003Cp>While risks to people are rapidly changing (change in nature, different probability and severity, etc) security measures must be integrated in order to reduce the risks to people including over time.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>NB: since security is a continuous process, it is advisable to update and control the installed procedures regularly**.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>Let's go a step further and find out what Article 32.1 of the GDPR tells us:\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\"\u003Cstrong>The controller and the processor are obliged\u003C/strong> to implement the appropriate \u003Cstrong>technical, organizational\u003C/strong> measures to ensure a level of security \u003Cstrong>adapted to the risks\u003C/strong>, and in particular: pseudonymization and encryption of personal data, means to ensure the confidentiality, integrity, availability, constant resilience of the processing systems and services, means to restore the availability of and access to personal data within appropriate timeframes in the event of a physical or technical incident, a procedure to test, analyze, regularly evaluate the effectiveness of technical and organizational measures to ensure the security of the processing. \"\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>Thus, through the \u003Cstrong>extension of responsibility by the GDPR\u003C/strong>, \u003Cstrong>these security obligations fall on the controller but also the processor\u003C/strong>. Finally, these measures protect individuals, but also their data: we are talking about \u003Cstrong>integrity, confidentiality and availability\u003C/strong> of data.\u003C/p>\r\n\u003Ch2 id=\"reduce-the-risks\">Reduce the risks\u003C/h2>\r\n\u003Cp>The obligation of security must be \u003Cstrong>understood in a global manner\u003C/strong>, from the angle of 3 principles allowing to reduce the risks:\u003C/p>\r\n\u003Cp>▶ Principle of \u003Cstrong>confidentiality\u003C/strong>\u003C/p>\r\n\u003Cp>▶ Principle of \u003Cstrong>integrity\u003C/strong>\u003C/p>\r\n\u003Cp>▶ Principle of \u003Cstrong>availability\u003C/strong>\u003C/p>\r\n\u003Cp>Each principle will prevent a multitude of risks. For example:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Unauthorized access for data confidentiality,\u003C/li>\r\n\u003Cli>Unauthorized modifications for data integrity,\u003C/li>\r\n\u003Cli>Data inaccessibility for data availability.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cstrong>The sources of these risks can be multiple, and are calculated according to the probability of the risk occurring and the impact it could have if the risk became a reality\u003C/strong>.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>Examples of risks** :\u003C/p>\r\n\u003Cp>Risks can be \u003Cstrong>internal\u003C/strong> or \u003Cstrong>external\u003C/strong>.\u003Cbr />\r\nStakeholders** (employees, visitors, competitors) by mishandling data can accidentally or deliberately increase the risk of leakage, theft, loss, etc,\u003Cbr />\r\nThe risk can come from malicious attacks**, organized crime or others,\u003Cbr />\r\nThe risk can also come from \u003Cstrong>failures\u003C/strong>, disasters, incidents, voluntary actions...\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>In short, \u003Cstrong>every data processing operation can easily be subject to security risks\u003C/strong> which justifies the \u003Cstrong>implementation of security measures.\u003C/strong>\u003C/p>\r\n\u003Ch2 id=\"security-measures\">Security measures\u003C/h2>\r\n\u003Cp>Some examples of security measures are suggested by the GDPR but not mandated:\u003C/p>\r\n\u003Cp>▶ The \u003Cstrong>encryption\u003C/strong> of data: only the sender and the recipient can access the content. Once encrypted, one must have the specific key, otherwise the message is inaccessible and unreadable.\u003C/p>\r\n\u003Cp>▶ The \u003Cstrong>pseudonymization\u003C/strong>: replace an identifier, or more generally personal data, by a pseudonym. It is still possible to re-identify the person by combining the pseudonym with other information (thus different from anonymization).\u003C/p>\r\n\u003Cp>The organization is thus obliged to take measures. There are 3 types of measures:\u003C/p>\r\n\u003Cp>▶ \u003Cstrong>physical\u003C/strong> or \"physical\" measures: locking doors, etc. ;\u003C/p>\r\n\u003Cp>▶ \u003Cstrong>logical\u003C/strong> or \"software\" measures: antivirus, password ;\u003C/p>\r\n\u003Cp>▶ \u003Cstrong>organizational\u003C/strong> measures: procedure, security governance.\u003C/p>\r\n\u003Ch3 id=\"physical-measures\">Physical measures\u003C/h3>\r\n\u003Cp>This involves facilitating access to the premises, while guaranteeing data security.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Examples of measures\u003C/strong> :\u003C/p>\r\n\u003Cp>Installing anti-intrusion alarms, with verification\u003Cbr />\r\nDistinguish building zones according to risks, for example rooms housing servers,\u003Cbr />\r\nPhysically protect computer equipment,\u003Cbr />\r\nInstall locks in each office,\u003Cbr />\r\nInstall locks in each office, etc.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch3 id=\"logical-measures\">Logical measures\u003C/h3>\r\n\u003Cp>▶ Adopt a strict password policy for workstation access.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Examples\u003C/strong>:\u003Cbr />\r\nUnique user IDs per user and prohibit shared accounts.\u003Cbr />\r\nRequire strong passwords\u003Cbr />\r\nTemporarily block account access after multiple failed authentications.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>▶ Secure workstations.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Examples\u003C/strong>:\u003Cbr />\r\nAutomatically lock down workstations after a short period of inactivity.\u003Cbr />\r\nControl the use of USB ports on sensitive workstations.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>▶ Trace access to the active database and the various archives.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Examples\u003C/strong> :\u003Cbr />\r\nMake actors responsible by creating a procedure for tracing actions on files.\u003Cbr />\r\nRegular control of traces via automated detection of suspicious actions.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>▶ Protect the internal computer network and servers from external attacks.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Examples\u003C/strong>:\u003Cbr />\r\nRegularly updated firewalls and antivirus software.\u003Cbr />\r\nSecure channels and authentication systems for remote connections\u003Cbr />\r\nLimit access to administrative tools and interfaces to authorized personnel only.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>▶ Anticipate the risk of data loss or disclosure.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Examples\u003C/strong>:\u003Cbr />\r\nPerform regular backups and store them at a separate site.\u003Cbr />\r\nProtect logging equipment and logged information.\u003Cbr />\r\nSystematically encrypt data stored on mobile devices (USB keys, smartphones, computers, etc.)\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch3 id=\"organizational-measures\">Organizational measures\u003C/h3>\r\n\u003Cp>These are complementary to the physical or logical measures, and structure and create the procedures for the application of the chosen security measures.\u003C/p>\r\n\u003Cp>▶ Data access control policy.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Examples\u003C/strong>:\u003Cbr />\r\nDefine procedures to be followed for each movement of personnel (arrival, departure, or change of assignment).\u003Cbr />\r\nConduct regular reviews of the rights granted to users\u003Cbr />\r\nProvide for checks to be carried out in the event of a request from a third party to transmit data (e.g. police services, etc.).\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>▶ Make users aware of the conditions of data use.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Examples\u003C/strong>:\u003Cbr />\r\nDistribute and have each user sign a computer charter, which reminds them of the conditions of use of computer equipment and personal data.\u003Cbr />\r\nRegularly make users aware of internal and criminal rules, and of existing threats (breaches, cyber-manipulation, etc.).\u003Cbr />\r\nDocument data exploitation procedures, update them and make them available to users.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>▶ Define a policy for managing incidents involving personal data.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Examples\u003C/strong>:\u003Cbr />\r\nEstablish a procedure in case of theft/loss of personal data (people to notify, filing a complaint, etc).\u003Cbr />\r\nProvide for the referent(s) to be notified in the event of a breach of data integrity, confidentiality, and availability.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>▶ Provide for regular audits of procedures and processing.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Cstrong>Examples\u003C/strong>:\u003Cbr />\r\nIdentify relevant processing for regular internal or external audit,\u003Cbr />\r\nEstablish a follow-up of the implementation of the measures recommended following the audits,\u003Cbr />\r\nEstablish criteria for reviewing risk analyses (deadlines, technological advances, publicized flaws, etc.).\u003C/p>\r\n\u003C/blockquote>\r\n",null,1214,7,"Security measures under the GDPR",0,"en","security-measures-gdpr","What security measures are expected by GDPR? ","Published",{"id":17,"displayName":18,"avatarUrl":19,"bio":20,"blogUrl":21,"color":7,"userId":17,"creationDate":22},31,"Jérôme de Mercey","https://static.dastra.eu/tenant-10/avatar/31/Zuh7XFZe5EnnTo/design-sans-titre-2-150.png","COO/cofounder","https://www.dastra.eu","2021-11-15T12:57:57","2021-06-07T21:45:42.924","2021-06-08T13:17:23.1443786","2023-12-28T13:54:09.1497342",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":7,"count":7,"imageUrl":7,"parent":7,"order":11,"translations":32},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[33,36,39],{"lang":34,"name":28,"description":35},"fr","Une liste d'articles rédigés par la communauté",{"lang":37,"name":28,"description":38},"es","Una lista de artículos escritos por la comunidad",{"lang":40,"name":28,"description":41},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[43],{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":7,"count":7,"imageUrl":7,"parent":7,"order":11,"translations":44},[45,46,47],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},[],"https://static.dastra.eu/content/76f471e7-4619-4fba-92e0-cbdd61b53e99/security-1000.png",[51,52,53,54,55,56,57],"https://static.dastra.eu/content/76f471e7-4619-4fba-92e0-cbdd61b53e99/security-1000.webp","https://static.dastra.eu/content/76f471e7-4619-4fba-92e0-cbdd61b53e99/security.webp","https://static.dastra.eu/content/76f471e7-4619-4fba-92e0-cbdd61b53e99/security-1500.webp","https://static.dastra.eu/content/76f471e7-4619-4fba-92e0-cbdd61b53e99/security-800.webp","https://static.dastra.eu/content/76f471e7-4619-4fba-92e0-cbdd61b53e99/security-600.webp","https://static.dastra.eu/content/76f471e7-4619-4fba-92e0-cbdd61b53e99/security-300.webp","https://static.dastra.eu/content/76f471e7-4619-4fba-92e0-cbdd61b53e99/security-100.webp",2461]