While adhering to the GDPR guidelines will not protect your company from cyberattacks, the GDPR has certain provisions that make cyberattacks less likely and surely less painful. However, it also imposes certain obligations upon businesses, which are worth delving into. Let’s see how GDPR can help you mitigate security risks and what it does to protect the individuals whose data is at risk.
How Does the GDPR Help Secure Data?
The GDPR brings strengthened data security measures that will help mitigate the risk of potential breaches. This does impose additional obligations on a company at the threat of enormous fines, but a smart data security system is in everyone’s best interest, since data breaches can create massive financial and societal costs.
Risk management is the core of ensuring data security, and it is an integral part of DPIAs (data protection impact assessments). The higher the risk, the more exhaustive the security measures have to be. All privacy impact assessments must contain the list of steps that will be taken to minimize the risk. You should properly assess the risk of data with the help of your DPO (data protection officer).
Furthermore, since the GDPR stipulates only necessary data may be stored for processing, by reducing the amount of data kept on hand, the risk of severe data loss is also mitigated, since in most cases the data should have been deleted. The level of security should be appropriate for the data in question.
Records must be kept in all organizations with more than 250 employees. Such records must contain the purposes of processing, categories of processing and the recipients of personal data (i.e. data processors and individuals within a company). Any cross-border transfers must also be documented, as well as the list of security measures that are to be used (previously determined in the DPIA).
This adds to the transparency; your company should know at any time where the data is and what is being done to it. This will ease the detection of breaches and the identification of culpable entities / lacklustre security measures.
The GDPR prescribes concrete obligations for data security. This is regulated in Article 32. However, as stated in the Risk Assessment paragraph, companies do not have to apply the same stringent levels of technical measures for all data.
The most lauded technical measure within the GDPR is pseudonymisation. Whenever possible, you should try to do it. It refers to processing in such a way that the person behind the data cannot be reasonably determined. You can see the benefits right away – even if a breach occurs, the data is worthless to an attacker when it comes to causing damage to individuals.
Data encryption is also important and should be enacted whenever possible. These two are the core data protection mechanisms listed by the GDPR, and you should always try to apply those.
After classifying the data according to risk, you can start adopting organisational and technical measures. This includes security policies, access controls, clear delegation of responsibilities, resource management and others.
Technical measures include authentication and password policies. Database security is a must. This includes encryption, authorised queries, searchable encryption. Consider encrypting storage drives on your server. Update all anti-virus programs on your users’ PCs, and for sensitive data, do not allow your employees to transfer personal data to PCs containing such data. Consider full-disk encryption and do not connect these computers to the Internet. Backup often and delete data safely.
In the Event of a Breach…
… the most important thing to do is to notify the authorities. Articles 33 and 34 contain the relevant provisions for that purpose. If you experience a data breach, consider whether it resulted in a “destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4).
Data controllers should contact the supervisory authorities as soon as possible, without undue delay, but never later than 72 hours after a breach. Notifications to the supervisory authorities must contain at least the following:
- a description of the nature of the breach, categories and approximate number of affected records and individuals
- contact details of the company’s DPO
- a description of probable consequences of the breach
- an outline of measures taken to address the breach and its adverse effects
All steps that are taken when addressing the breach have to be meticulously recorded, with all the relevant facts.
If In Doubt, Notify
If a data breach is highly likely to present a high risk to freedoms of individuals, you must notify them right away. Whatever you do, don’t be like Uber and hide the fact that a breach occurred.
Consider the following: If the data lost in the breach could result in “discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage”, then it is high-risk and you should notify the data subjects immediately, especially if sensitive data has been lost.
If you have personal information from many individuals and contacting them would be extremely impractical, public communication, such as a press release, can be used instead. All communication should be in plain, easy to understand language.
Note that these requirements are waived if proper pseudonymisation or encryption measures have been implemented, as the personal data would be unintelligible to unauthorised personnel. However, you must be able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
That is why it is important to have a good security system in place, since it can literally save your company from grave consequences and huge fines.
Have an incident response plan prepared that will include procedures and delegated responsibilities for swift mitigation of incidents. Make sure to document the procedures that have been taken. Record all the possible details of the breach.
What Are the Fines?
GDPR contains clear rules on conditions for imposing administrative fines. Failure to notify the supervisory authority can attract a fine of 2 % of a company’s global turnover or EUR 10 million, whichever is higher. If it is demonstrated that grave negligence occurred, such as unlawful data processing, non-transparency, infringement of data subject’s rights, or illegitimate cross-border transfers of personal data, among others, this brings with it the highest possible fines, of up to 4 percent of a company’s global turnover or EUR 20 million, whichever is higher.
Always Be Vigilant
Data breaches are always a messy affair. They can be costly both for individuals and your company. They are likely to result in tarnished reputation and a loss of trust in your business. This can be even more perilous than the potential fines under the GDPR.
It does not have to be that way. The GDPR is made in such a way to steer the companies toward proper data security policies that would reduce the number of data breaches and, even if they do occur, significantly reduce the negative fallout that can result from them.
Our advice is simple. Ensure that you are GDPR compliant and you have already done half the work. Your data will be much safer, and the risk of fines will be non-existent. There is still time, but the clock is ticking – 25 May 2018 is around the corner.