The General Data Protection Regulation is the new piece of legislation that will replace the current Data Protection Directive 95/46/EC on 25 May, 2018. It applies to the entire European Union, bringing with it the harmonization of rules and easier compliance when doing business in another EU country.
The GDPR has put forward new rights for EU residents that companies should be aware of (covered in one of our articles). With those rights come several obligations for data processors (companies) who must undertake the appropriate data protection measures, lest they violate the GDPR regulations and risk a steep fine. Fines can go up to 4 percent of the company’s worldwide turnover, so this is no laughing matter.
Let’s take a look at the basic principles of data protection under the GDPR.
The GDPR prescribes that every data processor will carry out the appropriate data security measures, encompassing the pseudonymisation and encryption of personal data, the ability to ensure data confidentiality, the availability of backups, and regular evaluation of technical and organisational data security measures.
However, this range of data protection methods does not need to be applied for every piece of data a company collects from its customer. See more below:
The appropriateness of various safety any technical measures for ensuring the security of data depends on the data itself. Sensitive data needs to be guarded well, whereas data deemed less important require less stringent measures.
Of course, there is nothing stopping you from implementing state of the art level of security measures across the board for all kinds of data, but that usually means high expenses and a waste of resources.
The GDPR introduces the concept of risk. A piece of personal information is risky if there is considerable chance that the data subject (customer, resident) would experience significant damage and/or distress in the event of a data breach.
At times, it can be difficult to gauge the importance of data and what measures should be taken to protect it. In some cases, it is easy to guess – bank account data is to be kept highly confidential at all times, whereas age or place of birth aren’t as important. That is why qualified personnel are required to evaluate the potential impact of a data breach on the company and on the individuals for whom the company has data on file. In some cases, the individuals need not be notified of the breach if data leaked is deemed as so trivial that it couldn’t possibly harm them.
Low-risk data is described as data whose loss should only be of a minor annoyance to the user. High-risk and very high-risk data is classified as data whose loss or wrongful use can have long term negative consequences on an individual. This includes health issues, loss of property, social stigma, or even death.
Organizational security measures
Proper security policies for handling of data should be put into place and regularly evaluated. If high-risk data is being handled, the policies need to be revised twice per year, with separate policies for the processing of personal data.
Organizations (companies) should ensure a clear distribution of roles among individual workers so that only those who have a strict necessity to access the personal data have the right to do so. Access control roles should be segregated for more sensitive data, and only a handful of individuals should have access to high-risk data.
Data processors must notify the data controllers of any breaches and provide evidence of compliance to the data controller. Data processor and controller employees can be bound with non-disclosure agreements if high-risk data is being handled. Annual training should be enacted for employees handling sensitive data.
It is essential for a company to ensure that their users’ data is backed up at all times. This is both to ensure smooth operation and to help prevent loss and destruction of data. The more critical the data, the stronger and more aggressive the back-up measures are.
For low-risk data, only a regular degree of backup security is required, such as storing backups in a safe place and carrying them out regularly with strict monitoring. Sensitive data requires extra steps. This includes regular testing of backup media, encryption if the data is to be sent to a third-party service for backup reasons and even the encryption of any and all backups when dealing with very sensitive data. Such copies should be stored offline.
Encryption and Pseudonymisation
In general, low-risk data does not require either encryption of pseudonymisation. However, medium and high-risk data should be pseudonymised.
Pseudonymisation is the process of ensuring that any personal data is saved in such a way that an individual person cannot be directly identified by looking at it. The data in this case is not completely anonymous, but neither does it contain the name of the user or other unique information. In order to reliably identify an individual, additional data is required. The data still remains useful, but much more secure.
Data should also be pseudonymised when performing research for scientific or statistical purposes. Furthermore, data pseudonymisation can absolve the companies of the requirements to notify the person should the data breach occur – as neither the company nor the other potential recipients actually can identify the person to whom the data pertains. However, the company needs to take extensive measures to prevent inadvertent reidentification that may occur if several pieces of data are collected.
Encryption is also encouraged in the GDPR as a means to further secure and protect sensitive data from inadvertent handling or unauthorized use, even if there happens to be an external or an internal data breach.
Any employee working with personal data should have some form of authentication that is used to regulate access levels. Consequently, such a system for the protection of IT systems should be implemented in any organization working with personal data, and especially if such data is sensitive.
More serious data should require hashed and long passwords to authenticate, and two-factor authentication is a must for high-risk data. Such data cannot be routed through or send to any computer outside the organization.
Regular anti-virus maintenance should be performed. No outside memory devices such as USB sticks can be used to transfer personal data. Encryption is required for sensitive, high-risk data. Monitoring of network traffic is required, and cryptographic protocols must be implemented (SSL and TLS).
Data should be destroyed safely. Simple deletion is enough for low-risk data, while high-risk data may require multiple-pass deletion or even the physical destruction of hard drives used to store it. Data destruction should not take place outside of the data controller’s premises.
The measures for ensuring data safety and compliance with the GDPR are sound and sane. They follow the approach of minimizing the costs while, at the same time, ensuring that truly sensitive data is well-protected at all times.
The problem arises when evaluating risks. Experts are required for this step, and experience shows that SMEs (small and medium enterprises) often do not have the know-how and categorise personal data incorrectly.
This can have grave consequences, should a data breach occur. For that reason, expert advisory is a necessity, as well as comprehensive training for the employees and the enactment of sound company-wide data protection policies. With such a system set up, the risk of data breaches and fines is minimal, with maximum efficiency and consumer trust.