GDPR is here: Have you thought about your data securisation?
Nowadays, to secure our data is essential. Actually, measures at the same time technical and, organizational, have to be bet ready to arrest any possible risk.
If the legal aspect of the GDPR is fundamental, a whole section (section 2 chapter 4 GDPR) concerning the personal data security is developed and is no less important.
Why? Because collecting data according to the GDPR is fine; but what if there is a cyberattack on the storage location of this collection? What is the point to collecting data according to a text if you do not guarantee that once collected this data is safe?
Who is concerned?
GDPR Chapter 4, Section 2 about the controller and the processor, states in its Article 32 that these two bodies are the debtors of this security obligation.
Thus subject to this heavy obligation concerning the data in their possession, they must take the necessary measures to guarantee the security of the data they have collected in accordance with the GDPR provisions.
Risk, a discriminating criterion
Article 32 of the GDPR states that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” shall be taken.
What to remember from this article? The idea is that not all data and treatments present the same degree of risk.
In fact, it was necessary to introduce proportionality between the risks incurred and the level of security to provide. This in order to implement adequate data protection (why kill an insect with a bazouka? …)
Determine the risk
In application of the advice given by the CNIL concerning data security, 4 elements will have to be studied to be able to set up a risk management adequate to your needs:
Personal data processing Inventory:
It is your responsibility to keep a register in which you record all the treatments you perform. The following information must appear on this register:
- Data processing carried out (contracts, management, customer file, etc.)
- Whether they are automated or not
- The data media (paper, software, hardware…)
Although this stage may seems tedious, it is no less fundamental. Indeed, it will allow you to make an inventory of your data. Thus, you protect your data by category which, in fine, will make you save time!
To assess the risk and its intensity, the CNIL recommends the evaluation of 5 points:
- Possible impacts on the individuals rights and freedoms of in the event:
- Illegitimate access to data
- Unwanted / authorized modification of data
- Disappearance of data (the CNIL gives the example of a drug interaction due to the impossibility of accessing a patient’s data).
- Sources of risk. In other words who / what can cause the risk?
- The feasible threats. On each identified threat you must ask yourself what can make this threat feasible (the media themselves, their use, a person…)
- Existing or planned measures to protect the data.
- All these elements will allow you to establish a proportionality between the seriousness of the risk incurred and the likelihood that this risk will occur (idea of the PIA).
For what? To put protective measures in place and guarantee the security of your data.
Risk palliatives: technical and organizational measures
Organizational measures can be understood as measures that will, at the level of your company’s organization, guarantee the protection of the data in your possession.
In practice: make your teams aware according to the data they process, change passwords, guarantee limited access to some of the most sensitive data, increase access to your databases…
The technical measures are those which really intervene on the computer level for the protection of your data. It is for example securing workstations, protecting your internal/mobile computer network, securing your servers…
To do this, some protection solutions are given by the CNIL such as encryption.
WARNING: it must be kept in mind that due to the quality/quantity of data you process the protection that will be expected of you by the CNIL may vary.
Don’t take unnecessary risks, sanctions can now go up to 20,000,000 euros or 4% of the annual world turnover…