Many provisions and stipulations of the GDPR boil down to a simple requirement: ensure the data is safe. If you manage to do that, you have much less to worry about and all other issues that may arise become a lot easier to solve. That is why we have decided to compile a list of the most commonly employed data protection methods that will help you stay GDPR compliant – some have even been enshrined in the regulation itself.
1. Risk Assessments
The riskier the data, the more protection it has to be afforded. Sensitive data should be closely guarded, whereas low-risk data can be afforded less protection. The major reason for these assessments is the cost benefit, as better data security equals greater expense. However, it is a good test to determine what data needs to be guarded more closely and makes the whole data processing system more efficient.
There are two axes upon which your risk assessment should be based: the potential severity in case of a data breach and the probability of a breach. The higher the risk on each of these axes, the more sensitive the data is. These assessments will often require the assistance of a data protection officer (privacy officer) who will help you establish valid ground rules. Avoid doing it on your own unless you are absolutely certain you know what you are doing. Mischaracterized data, if lost, could prove disastrous.
Backups are a method of preventing data loss that can often occur either due to user error or technical malfunction. Backups should be regularly made and updated. Regular backups will impose an additional cost to your company, but potential interruptions to your normal business operations will cost even more. Time is money!
Backups should be performed in accordance with the principle explained above – data of low-importance does not have to be backed up as often, but sensitive data does. Such backups should be stored in a safe place, and possibly encrypted. Never store sensitive data in the cloud. Periodically check storage media for deterioration, as per the manufacturer guidelines, and make sure to store them according to official recommendations (check for humidity, temperature, etc.)
Tape-storage methods are still a cheaper option (by two-thirds) compared to hard disks. However, hard drives are more versatile and better-suited to small scale operations. Data access is also much faster with disk-storage methods.
High-risk data is the prime candidate for encryption every step on the way. This includes during acquisition (online cryptographic protocols), processing (full memory encryption) and subsequent storage (RSA or AES). Well-encrypted data is inherently safe; even in cases of a data breach, the data will be useless and irrecoverable to attackers.
For that reason, encryption is even explicitly mentioned as a method of data protection in the GDPR, meaning its proper use will certainly bring you favours in the eyes of the regulators. For example, if you experience a breach that affects encrypted data, you do not even have to report it to the supervisory authorities, since the data is considered adequately protected! For this reason alone, you should consider encrpytion as your #1 data security method.
Pseudonymisation is another method advocated in the GDPR that increases data security and privacy of the individuals. It works well with larger sets of data, and consists of stripping identifying information from snippets of data. For example, you replace the names of persons with randomly generated strings. The identity of a person and data they supplied therefore become impossible to link together.
You are still left with somewhat useful data, but it does not contain sensitive identifiable information anymore. Since people cannot be directly identified from pseudonymised data, the procedures in the case of a data breach or loss are much simpler and the risks are greatly reduced. The GDPR recognises this and the notification requirements have been significantly relaxed in case of pseudonymised data breaches.
Pseudonymisation is also a must when performing scientific or statistical research, so institutions and schools should be well-versed in properly pseudonymising their data.
5. Access Controls
The introduction of access controls to your company’s workflow is a very efficient risk reduction method. The fewer people have access to the data, the lesser the risk of (inadvertent) data breach or loss.
You should ensure that you give access to sensitive data only to trustworthy employees who have a valid reason to access it. We recommend you hold regular prior data handling education courses and refreshers, especially after hiring new employees.
With help of your data protection officer, draft a clear and concise data protection policy outlining the methods, roles and responsibilities of each employee (or a group of employees).
There may come a time where the data you have will need to be destroyed. Data destruction might not seem like a protection method at a first glance, but in fact it is. The data is being protected this way against unauthorised recovery and access. Under the GDPR, you have the obligation to delete the data you don’t need, and sensitive data warrants more comprehensive methods of destruction.
Hard disks are most often destroyed using degaussing, whereas paper documents, CDs and tape drives are shredded into tiny pieces. On-site data destruction is recommended for sensitive data. Encrypted data can easily be deleted simply by destroying the decryption keys, guaranteeing the data will be unreadable… for at least the next few decades, after which it will likely become obsolete anyway.