What does the GDPR say about security measures
The GDPR imposes a general obligation to ensure the security of personal data. This obligation derives from Article 5 1. f) and Article 32.
Article 5 1. f)
Personal data must be [...] processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
Having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing and the risks to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, as necessary:
pseudonymisation and encryption of personal data;
means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
means to restore the availability of and access to personal data within an appropriate timeframe in the event of a physical or technical incident;
a procedure for regularly testing, analysing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.
Each processing operation must therefore be subject to a set of security measures decided according to the context. These obligations are therefore always adapted to the specific features of the processing and the risks it presents for the rights and freedoms of the data subjects.
Article 32 reiterates that all these security measures can reduce the risks to individuals. They thus preserve :
▶ The rights and freedoms of individuals,
▶ The organisation's information assets,
▶ the organisation's reputation.
At a time when risks to individuals are evolving rapidly (change in nature, different probability and severity, etc.) security measures must be integrated in order to reduce the risks to individuals, including over time.
NB: as safety is an ongoing process, it is important to regularly update and check the procedures in place.
Let's go a step further and find out what Article 32.1 of the GDPR tells us:
"The controller and the processor have an obligation to implement appropriate technical, organisational measures in order to guarantee a level of security adapted to the risks, and in particular: the pseudonymisation and encryption of personal data, the means to guarantee the confidentiality, integrity, availability, constant resilience of processing systems and services, the means to restore the availability of personal data and access to it within the appropriate timescales in the event of a physical or technical incident, a procedure to test, analyse, regularly evaluate the effectiveness of the technical and organisational measures to ensure the security of the processing. "
As a result of the extension of responsibility by the GDPR, these security obligations fall on the controller as well as the processor. Finally, these measures not only protect individuals, but also their data: we are talking about data integrity, confidentiality and availability.
The security obligation must be understood in a global manner, from the angle of 3 principles enabling risks to be reduced:
▶ Principle of confidentiality
▶ Principle of integrity
▶ Principle of availability
Each principle will help avoid a multitude of risks. For example:
- Unauthorised access for data confidentiality,
- Unjustified modifications for data integrity,
- Data inaccessibility for data availability.
The sources of these risks can be multiple, and are calculated according to the probability of the risk occurring and the impact it could have if the risk became a reality.
Examples of risks :
Risks can be internal or external.
Stakeholders (employees, visitors, competitors) mishandling data can accidentally or deliberately increase the risk of leakage, theft, loss, etc,
The risk may come from malicious attacks, organised crime or other sources,
Risk can also arise from failures, disasters, incidents, deliberate actions, etc.
In short, every data processing operation can easily be subject to security risks, which is why security measures need to be put in place.
A few examples of security measures are suggested by the GDPR but not imposed:
▶ The encryption of data: only the sender and the recipient can access the content. Once encrypted, the specific key is required, otherwise the message is inaccessible and unreadable.
▶ Pseudonymisation: replacing an identifier, or more generally personal data, with a pseudonym. It is still possible to re-identify the person by combining the pseudonym with other information (different from anonymisation).
The organisation is therefore obliged to take measures. There are 3 types of measures:
▶ physical or material measures: locking doors, etc. ;
▶logical or software measures: antivirus, password protection, etc;
▶organisational measures: procedure, security governance.
This involves facilitating access to premises, while guaranteeing data security.
Examples of measures :
- Install intruder alarms, with verification of access.
- Distinguish between areas of buildings according to risk, for example server rooms,
- Physically protect IT equipment,
- Install locks in each office,
▶ Adopt a rigorous password policy for access to workstations.
- Unique identifier per user and prohibition of shared accounts.
- Require strong passwords.
- Temporarily block access to the account after several failed authentications.
▶ Secure workstations.
- Automatic locking of workstations following a short period of inactivity.
- Control the use of USB ports on sensitive workstations.
▶ Trace access to the active database and the various archives.
- Make the players responsible by creating a procedure for tracing actions on files.
- Regular monitoring of traces via automated detection of suspicious actions.
▶ Protect the internal computer network and servers from external attacks.
- Regularly updated firewalls and antivirus software.
- Secure channels and authentication systems for remote connections.
- Limit access to administration tools and interfaces to authorised personnel only.
▶ Anticipate the risk of data loss or disclosure.
- Carry out regular back-ups and store them on a separate site.
- Protect logging equipment and logged information.
- Systematically encrypt data stored on mobile devices (USB sticks, smartphones, computers, etc.).
These are complementary to the physical or logical measures, and structure and create the procedures for applying the chosen security measures.
▶ Data access control policy.
- Define the procedures to be followed for each movement of personnel (arrival, departure, or change of assignment).
- Carry out regular reviews of the rights granted to users.
- Provide for checks to be carried out in the event of a request from a third party to transmit data (e.g. police services, etc).
▶ Make users aware of the conditions under which data is used.
- Distribute and have each user sign an IT charter setting out the conditions for using IT equipment and personal data.
- Regularly make users aware of internal and criminal rules, and of existing threats (vulnerabilities, cyber-manipulation, etc).
- Document procedures for using data, update them and make them available to users.
▶ Define a policy for managing incidents involving personal data.
- Establish a procedure in the event of theft/loss of personal data (people to notify, lodging a complaint, etc).
- Provide for the contact person(s) to be notified in the event of a breach of data integrity, confidentiality or availability.
▶ Provide for regular audits of procedures and processing.
- Identify the relevant processing operations for a regular internal or external audit,
- Establish monitoring of the implementation of measures recommended following audits,
- Establish criteria for reviewing risk analyses (deadlines, technological advances, vulnerabilities made public, etc.).