If the legal aspect of the GDPR is essential, a whole section (section 2 chapter 4 GDPR) regarding the personal data security is developed and equally important.
Why? Because collecting data in accordance with the GDPR is fine; but what if your storage location is targeted by a cyberattack? What’s the point of collecting data in accordance with a text if you cannot guarantee that the data you collected is safe?
Who is subjected?
GDPR Chapter 4, Section 2 about the controller and the processor, states in Article 32 that these two bodies are the debtors of this obligation of security.
Therefore, since they are subject to this heavy obligation regarding the data that they possess, they must take all necessary measures to guarantee the security of the data they collected in compliance with the GDPR provisions.
A risk, a discriminating criterion
Article 32 of the GDPR states that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
What’s important about this article? The idea that every data and processing does not have the same degree of risk.
Consequently, it was necessary to introduce proportionality between the risks and the level of security to implement. This is useful to implement an adequate data protection (why kill an insect with a bazooka? …)
Assess the risk
In compliance with the advice given by the CNIL regarding data security, 4 elements should be studied if you want to carry out a risk management tailored to your needs:
Inventory of personal data processing:
It falls under your responsibility to keep a register in which you record all the processing steps. The following information must appear on this register:
- That data processing carried out (contracts, management, customer file, etc.)
- Whether they are automated or not
- The data media (paper, software, hardware…)
Although this stage may seems tedious, it is no less essential. Indeed, you will be able to make an inventory of your data. Thus, you protect your data by category which, in fine, will make you save time!
Risk assessment
To assess the risk and its intensity, the supervisory authority recommends that you check 5 points:
- The potential affects on the individuals’ rights and freedoms in case of:
- Illegitimate access to the data
- Unwanted / unauthorized modification of the data
- Data disappearance (the supervisory authority gives the example of a drug interaction due to the impossibility of accessing a patient’s data).
- The sources of risk. In other words what can cause the risk?
- The feasible threats. For each threat identified, you must wonder what can make this threat feasible (the media itself, its use, a person…)
- The existing or planned measures to protect the data.
- All these elements will allow you to establish a proportionality between the seriousness of the risk and the likelihood that this risk will occur (idea of the PIA).
What for? To implement protective measures and guarantee your data security.
Risk workarounds: technical and organizational measures
Organizational measures can be understood as measures that will, at the level of your company’s organization, guarantee the protection of the data in your possession.
In practice: make your teams aware according to the data they process, change passwords, guarantee a limited access to some of the most sensitive data, increase access to your databases…
The technical measures are pertaining to the protection of your data on an IT area. It is for example securing workstations, protecting your internal/mobile computer network, securing your servers…
In order to do this, some protection advice are given by the supervisory authority such as encryption.
WARNING: you must keep in mind that due to the quality/quantity of the data you process, the protection that will be expected of you by the supervisory authority may vary.
Don’t take unnecessary risks, the penalties are now up to €20,000,000 or 4% of the annual your worldwide turnover…
To go further: how can I securely protect my website application and prove my good faith?
More than just data protection, the SECURITY by HTTPCS vulnerability scanner protects your website or web application. Thanks to the security breaches reported and the corrective measures to apply, your data is protected from any malicious attack.