In 2017 I was heavily involved with designing a data-centric security assessment framework for GDPR. The framework defined the key areas to assess and carry out an effective self-audit. The results? A gap analysis identifying risks, issues and vulnerabilities that needed to be logged and recommendations for remediation.
If you haven’t taken any action yet, now is the time to start getting the ship in order. Before you consider new technologies such as tokenisation or encryption, make sure you review your existing security toolset. The completion of a gap analysis will help create a clear plan of action for remediation of vulnerabilities in your environment.
The complexity and volume of work will differ vastly depending upon the type of organisation you work for, but the principles remain the same. It’s also worth reviewing how many layers of security you have in place. Do you have a culture of defence in depth?
Security of processing
Let’s look in more detail at what the GDPR expectations are from a security perspective. The first port of call is Article 32 ‘Security of processing’. The article is short and easy to read through; however, it contains some key requirements and expectations. In particular, the most pertinent is; ‘the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’
There is a similar mention within Article 5 for the ‘use of appropriate technical or organisational measures’ too. It is also vital to understand that these requirements apply to both controllers and processors of personal data. Paragraph 1 contains four requirements that are determined by appropriateness; let’s examine each one:
(a) the pseudonymisation and encryption of personal data: If an organisation is processing large volumes of personal data or sensitive categories, then this is quite a game changer. Encryption-in-transit has long been an accepted standard over email (TLS) or for file transfers (SFTP). There now appears to be a clear expectation for organisations to encrypt data-at-rest. Performance and cost becomes a clear challenge here and this is where solutions creating partial depersonalisation or pseudonymisation come into play. This enables businesses to encrypt high risk data whilst seeing less of a performance hit.
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The latter three requirements have been kept together as they go hand-in-hand. What would you do in a disaster scenario? Is personal data and the solutions needed to interpret the data being regularly backed up? Can it be restored in a timely manner? Is there a risk of data loss? Disaster recovery solutions, like data replication and back up technologies, are vital to businesses of all sizes.
Do you have a DR plan? How do you test the capability, and have you worked through a DR scenario or even carried out a real test? You’ll also need to consider the areas outside of IT that need to be involved and as a business decide who leads for such an incident? These are all key questions to assess and understand what your organisation needs to do, and how IT and security can support to make it happen.
Data breaches
Article 33 outlines the requirements for a data controller to notify the supervisory authority of a personal data breach. How will your organisation detect or investigate data breaches? Do you have the necessary tools and knowledge within your organisation to react or proactively manage them?
This is where threat detection, threat prevention and monitoring tools will be critical. If you don’t have the required skills in-house, then invest in developing existing staff, recruit, or find a strategic partner you can work with. Good encryption and key management offer an excellent layer of defence. If a personal data breach occurs, but the data has been encrypted, it is not reportable to the supervisory authority.
The DPIA
Article 35 defines the requirement of a data protection impact assessment (DPIA). Many organisations should already have a similar process in place. The previous name for the process under Data Protection is a PIA (Privacy Impact Assessment). These should be built into the project life-cycle to risk assess and capture any high-risk processing of personal data. The key things to identify within a DPIA are:
- The types of data being processed and, in particular, if any are of sensitive categories.
- Volume(s) of data being processed.
- Whether new technologies are being used.
- Whether there will be any form of profiling or automated processing.
What if you have existing high-risk processing? This is a grey area however, the sensible approach would to be carry out a retrospective DPIA focusing on the highest risk processing first.
Staff training
Article 39 lays out the requirements for a DPO (Data Protection Officer) and part of the remit must ensure staff have training and appropriate awareness of data protection, privacy and security of data. This is where your security or IT department can provide key knowledge and understanding, and in particular, on cyber threats, best practice for protecting and securing data, and so on. It’s not always conceived, but employees actually offer one of the largest threats to their organisations.
An example of a phishing scam:
Dear [Name]
We are currently contacting all of our customers to ensure you are happy to receive our newsletters and updates going forward.
We are taking the new GDPR very seriously, so in order for you to be in control, please click the following link to manage your subscription: [clickable url]
The security and data protection specialists reading this will no doubt be laughing at the clear disregard of GDPR and PECR (Privacy and Electronic Communications Regulations) here. The real concern is the growing threat of distraction techniques like this to make an email seem genuine.
There are plenty of solutions and tools that can add a layer of defence for malicious web and email links, however staff also need to be trained and given guidance on how to deal with these types of threats. This is not an area a business should be skimping on. You could have the greatest and latest technologies but if your staff are not savvy then this is where security holes and data breaches can quickly emerge.
Record keeping
Article 30 can easily be seen as a concern for the business and DPO, but do they understand and know what security measures are in place? What remediation has been undertaken to improve your security stature? What on-going processes are in place to monitor gaps and threats in the future? These need to be documented and recorded appropriately by the business. It’s likely this will be housed in an excel spreadsheet, but do consider how IT can add value and support the business.
Joined up thinking!
A fully joined up and aligned GDPR programme is vital and cannot be left to just one business area to deal with. I’ve come across a number of peers who’ve reported GDPR being left to IT or legal to resolve. By taking the opposite approach, this will encourage positive collaboration between business, security and IT. GDPR is a business concern, but requires joined-up expertise from legal, Security and IT teams. Ensure you have buy-in from the very top of the organisation too!