Data security requirement under GDPR

Written By Maeve Dunne
GDPR15.jpg

Under article 32 of the GDPR, data controllers and data processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, and to help prevent a personal data breach.  However, in order to future proof the GDPR, they unfortunately don’t go on to tell what the current appropriate security measures are. 

First, always ask yourself the question, what is the risk to the data subjects if the personal data we control belonging to them was leaked. 

If the honest answer is not a lot, then you need to put in the minimum security outlined below. However, if the answer is anything else, then you need to really consider paying attention to mitigating that risk. So the second thing you should do to test if you are correct in your own risk assessment,  by  carrying out a Data Protection impact assessment (DPIA) and use the outcome of the DPIA to help decide what to do next.

We have put together some guidance that may be useful as a starting point on what we think is the current ‘state of the art’ security requirements for SME’s in Ireland, in 2020. 

Please note that the list below is based on some assumptions and is intended for guidance only. It should not be relied on as a substitute for obtaining security and legal advice.

 

Minimum security measures under the GDPR

  • Firewalls which are properly configured and using the latest software

  • User access control management by, for example, the UAC functionality in Windows. Please note, that in order to comply with GDPR, there should be no one person in your organisation with full access to all files and even your network administrator should have restricted access. 

  • Unique passwords of sufficient complexity and regular (but not too frequent) expiry on all devices (including mobile phones) to defend against dictionary and rainbow table attacks. Research in the UK as shown that forcing users to change their ‘complex’ passwords often leads to the recycling of old passwords, which may be already known to attackers.

  • Regular software updates, if appropriate, by using patch management software

  • Timely decommissioning and secure wiping (that renders data unrecoverable) of old software and hardware

  • Real-time protection anti-virus, anti-malware, and anti-spyware software

  • Encryption of all portable devices ensuring appropriate protection of the key

  • Encryption of personal data in transit by using suitable encryption solutions if required. If your organisation processes minimal amounts of personal data, encryption may not strictly be a legal requirement and organisations may achieve appropriate levels of security and comply with the law by other means

  • Implement secure configuration on all devices (including mobile phones)

  • Put in place intrusion detection and prevention systems

  • Regular Data backups


Minimal organisational measures under the GDPR

  • Vet and train staff, contractors, vendors, and suppliers on continuous basis, as individuals are often found to be the weakest link

  • Insist on Non-Disclosure Agreements and Data Processor Agreements prior to entering into formalised agreements

  • Provide training to staff on data processing obligations, identification of breaches and risks. Even with state of art security software you may not be able to prevent some breaches without having appropriately trained staff

  • Restrict staff access to personal data to those who need to know only (also referred to as the “principle of least authority”)

  • Ensure physical security on premises including policy for staff to lock away their documents overnight in secure cabinets, and disposed of any sensitive printouts, which are no longer needed, by putting them in a confidential bin or through a cross cut shredder

  • Put in place a Bring Your Own Device (BYOD) policy if you allow use of personal devices for work 

  • Where possible implement a strict ban on the use of personal email for work purposes.


Other suggested commonly adopted security practices for higher risk data

  • Consider multi-factor authentication, especially for remote access, through a fob or through the presence of a corporate mobile phone

  • Keep Wi-Fi passcode confidential and change it regularly to prevent creation of “evil twin” Wi-Fi access points. Generally, any WiFi access to the corporate network should use WPA-TKIP which is a centrally administered authentication method and grants access only to authenticated users only.

  • Implement delinquent web filtering to prevent access to hazardous URLs

By now we all know the possible huge fines that can be levied against an organisation that has a data breach, under GDPR, don’t let your organisation be the next stat. 

Finally, we would reiterate that staff training is probably the most important part of preventing a data breach as the most common breaches are from human error, it’s as simple as ‘reply all’ instead of ‘reply’. The cyber criminals understand that the human is often the weakest link and they act accordingly. 

As your Data Protection Officer or Data Privacy Consultant, we are here to answer any questions you may have or any concerns in relation to this blog. We are happy to work with you to implement privacy-friendly changes to your security strategy.

Maeve Dunne
Previous

EU to UK personal data transfer post Brexit update
Next

Breaching Data Protection Officer (DPO) independence requirements