Unfortunately, people come up with more and more types of personal data breaches nowadays, resulting in an increasing number of incidents.
For this reason, your company/organisation must organise a plan with measures – also called security measures – whose aim will be protecting the personal data entrusted to you by your users in the best way possible.
What will we touch on in this post?
- What are security measures and what are they useful for?
- What does the security policy include?
- How are security measures designed?
- What types of security measures are there?
- What should security measures ensure?
- What can your company look out for in order to avoid frequent personal data breaches?
- What is an impact assessment?
- What does carrying out an impact assessment involve?
- Record keeping
What are security measures and what are they useful for?
Security measures are actions taken by the Controller in order to ensure that the personal data used for the processing are fully necessary for the implementation of the purpose of the processing and to protect them from any breaches.
The security measures are useful for:
- Ensuring the accuracy of the user’s rights and freedoms entrusted to the controller.
- Securing and protecting the personal data of your company’s visitor/user, as the data is not accessible to an indefinite number of persons without the user’s consent.
- Ensuring that data subjects can access their data anytime they want.
Security measures must be documented in appropriate policy papers, as required by the principle of accountability, according to which the controller is responsible for implementing all processing principles. For more information on these principles, head over to our introductory article on personal data.
For this reason, it is good practice for the controller to formulate a document describing the security objectives and the corresponding procedures to be followed in order to achieve these objectives, and may even be considered as a requirement in certain cases (e.g. large undertakings, undertakings whose main purpose is the processing of personal data regardless of size, undertakings whose processing operations are subject to the requirement for a data protection impact assessment etc).
This document is called a security policy.
A data controller is a natural or legal person designated by each company who determines the purposes and means by which the personal data received by the company/organisation from its users are processed.
What does the security policy include?
In order to be effective and properly organised, a security policy should at a minimum include:
- The most important security principles to be observed such as confidentiality, integrity, data availability, accountability in case of errors and breaches, etc
- The data and files that will be protected through it
- The scope and purposes of the security policy related to the data it protects
- The company’s organization regarding the roles, duties, and responsibilities of the persons working in the company ( including of course those related to the security policy), as well as how the employees are trained and informed about the measures to be taken in case of a breach
- The various areas to which the policy applies and, more specifically, the procedures for protecting these areas
- The means of evaluating and monitoring the appropriate implementation of security policy measures
The policy should be clear and comprehensive and should not contain any complicated technical terms that would make the policy difficult to implement in practice, e.g. because it may depend on technological means not available to the company. It is also important that the policy includes its review process.
Everything stated in the security policy binds all the company’s staff especially the employee sector related in any way to users’ personal data, while it should also comply with EU legislation (Regulation 2016/679).
Example of Twitter’s Security Policy:
How are security measures designed?
According to Article 32 of the GDPR, the data controller, along with those involved in the data processing should set some specific procedures, as well as some technical-organisational measures, in order to limit the cases of data breaches. This process should be done taking into account:
- the available technology
- Implementation costs
- nature
- the scope
- the circumstances and purposes of the processing
- the likelihood of serious risks to the processing (such as accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of data transmitted, stored or otherwise processed). Risks are objectively taken into account by assessing the connection between the way of processing and the occurrence of the specific risk
What types of security measures are there?
Security measures can be divided into two big categories:
- Organizational security measures
- Defining the roles and tasks-responsibilities of staff involved in the data processing
- Defining the responsibilities of the data protection officer
- Staff training
- Managing security incidents and actions in the event of a breach
- Technical security measures
- Managing the information system users
- Creating backup files
- Security communications
- User identification and authentication system
These examples of organisational and technical security measures are indicative, i.e. they can be expanded by the data controller. It is through these measures that the instructions stated within the security policy are implemented and form the organisation’s security plan.
For more information on the examples of security measures, click here.
What should security measures ensure?
According to Article 32 of the GDPR, using security measures should ensure:
- The pseudonymisation and encryption of personal data
- The ongoing
- confidentiality
- integrity, in other words, the data must be accurate, clear, truthful and not altered
- availability, in other words, allowing users to access their personal data whenever they want
- resilience of processing systems and services
- The access to personal data in the event of a physical or technical incident. For example, users can only access the video surveillance system software through an account personalised for each user.
- The regular evaluation and assessment of the systems, procedures and security measures used to protect the processing.
Of course, guidelines and specific instructions detailing the implementation of security measures and demonstrating compliance with Regulation 2016/679 can be provided by the company’s Data Controller and the Data Protection Board through approved codes of conduct and certifications.
What can your company look out for in order to avoid frequent personal data breaches?
Today, we see that small and medium-sized companies are conducting many of their activities online, which is exactly the reason why it’s estimated that a lot of data breaches could have been avoided had companies followed some of the good practices outlined below:
ACTIONS THAT LEAD TO DATA BREACHES | SAFE ACTIONS |
---|---|
Sending e-mails that contain personal data to the wrong number of recipients | Keeping users informed and creating procedures for confirming and checking the emails of recipients. Also, encrypting these files and providing the recipient with a decryption “key”, given on the first contact. |
Using laptop computers and storage media, which can be often stolen | Transferring personal data by portable means after encrypting them |
Using very simple passwords, which can be easily hacked | Following a specific policy for passwords, i.e. consist of at least 8 characters be complex in terms of content |
Publishing information to websites, which were not intended for public display | Controlling your internet servers and configuring them so that your users’ confidential information is not made public. More specifically, you can apply techniques such as the “robots.txt” file or the “noindex” mega tag, so that search engines cannot access the confidential parts of your website or you can protect parts of it by locking them with a password. |
Trusting e-mails that are sent by computer operators in order to install malicious software such as ransomware or malware | Educating users and raising awareness of the risks, so they will be more cautious when opening these e-mails. |
You can also learn more about this subject in our article about data breaches.
What is an impact assessment?
In some cases, it is likely that certain types of processing result in a high risk to the rights and freedoms of the subjects, e.g. by using new technologies.
For this reason, the GDPR requires the controller to carry out an impact assessment, which is a form of self-monitoring and assesses the risks that are going to arise through the data processing in order to tackle them more effectively.
Why is it useful for your company/organisation?
Carrying out an impact assessment also benefits whoever it is for, i.e. your company/organisation. More specifically, it is usually through the assessment process that security gaps and problems are identified, which in the event of an inspection by the relevant authority could lead not only to the imposition of sanctions but also to a series of negative consequences for your company/organisation.
In practice, the most important thing is that if, following a potential inspection by the data protection authority, it is found that an impact assessment was necessary but had not been carried out, the fines that can be imposed are high.
When should it be carried out?
An impact assessment is carried out when the rights and freedoms of natural persons are at high risk. More specifically:
- When there is a systematic and extensive evaluation related to natural persons and based on automated processing, including profiling. Thus, processing leads to decisions that produce legal effects concerning the natural person or similarly significantly affect the natural person.
- When systematically monitoring a large public area, such as when using CCTV cameras. In this case, the rights and freedoms of data subjects are likely to be at high risk, particularly because the processing prevents the subjects from exercising a right or using a service or contract, or because it is carried out systematically on a large scale.
- Where the processing involves special categories of data, such as data relating to health, sexual orientation etc. (for more information check out our article on sensitive data) or personal data relating to offences and criminal convictions.
Important! Your Data Protection Authority may designate more types of data processing as high-risk!
What does carrying out an impact assessment involve?
The impact assessment is carried out by the data controller and according to Article 35 (7) of the GDPR, it should contain at least the following:
- Regular analysis of the operations, procedures and purposes of the processing. For example, when your company decides to install a CCTV system on its premises to prevent vandalism and crime.
- Assessment of the proportionality and necessity of the processing in relation to the purposes. In other words, whether this particular form of processing is both appropriate to serve the purposes for which it is carried out and the least intrusive to the rights and freedoms of the data subjects compared to other forms is also assessed.
- Assessment of the risks to the data subjects’ rights and freedoms.
- Documentation of the means and procedures used to deal with cases of breach and risks, including the measures and safeguards taken by the company to demonstrate their implementation.
Record keeping
If your company/organisation employs more than 250 people, it should be able to demonstrate that it follows and complies with the GDPR and fulfils all its duties regarding users’ personal data. This is made possible by having the data controller keep records, which, according to Article 30 of the GDPR, should include:
- The name and contact details of the persons involved in the processing, i.e. the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer
- The purposes of the personal data processing
- The description of the categories of personal data and data subjects
- The categories of recipients to whom the personal data are to be or have been disclosed, including recipients in third countries or international organisations
- The envisaged deadlines for erasing the different categories of data
- The general description of the implemented security measures, organisational and technical ones.
Of course, it may also concern companies/organisations with fewer than 250 persons if the processing carried out is likely to present a risk to the rights and freedoms of the data subject, if the processing is not occasional or if the processing involves special categories of data (like sensitive personal data) or data relating to criminal convictions and offences.