We have explained consent, tracking and auditing of consent, as well as the right to be forgotten (briefly of course). However there is more. Apart from the obvious topics, there are underlying concerns such as security of data, i.e. ensuring that all personal data is protected and secured. The only issue here is that the regulation does not specify to which extent this data is to be protected and instead hides behind the vagueness of the word ‘reasonable’. As such it is up to each and every company to determine, the nature of the personal data they are storing and the risk that it could pose. Based on this, determine a budget for security measures.
In the world of technology, there exists a mantra that nothing is ever 100% secure but there are always mechanisms to make it more difficult to breach. These mechanisms however can be quite expensive to put in place, maintain or buy licenses for. There are multiple layers of security that one would need to consider, such as at infrastructure level, security of data in transit, data at rest, security from external sources as well as from internal sources. I shall very briefly and in as a simplistic manner as I can attempt to explain these 5 layers or facets companies need to consider.
This would mean making sure that the servers, the network and all the infrastructure where the data is hosted is safe and accessible only by those who are meant to access it.
“My company is old school, we still use paper for anything that contains personal data.”
Unfortunately this does not make you exempt. Many companies even those which are technology driven still have some form of paper trail which will at times contain personal data. This can be found most commonly within HR and Finance departments. In such cases the infrastructure are your filing cabinets and where you store these physical files.
GDPR is about personal data and not about whether it is stored online or offline. The regulation applied for both the digital and the physical.
In the digital environment, you might have firewalls, intrusion detection mechanisms, monitoring etc… In the physical environment this would translate to who has access to where the location where the documents containing personal data is stored? How can you control such access? Are the filing cabinets lockable? Who has the keys? Where are the keys stored?
Security of data in transit
Data which is on the move be it from one server to another or a filing cabinet to a desk, needs to be protected so that it does not get intercepted whilst it is still in transit. In the digital world one would ensure that all connections and transfers happen over encrypted channels, perhaps by using SSL. In the physical world, how are documents delivered? By registered post, trusted courier? What stops anyone with malicious intentions stealing that data? What stops your employees from making an innocent mistake and loosing those documents?
Security of data at rest
This basically means that when the data is in place and not being transferred, what security mechanisms are there directly on the data. Perhaps this one applies mostly to the digital world as not much can be done in the physical world short of old school cryptography or writing using a mirror like Leonardo da Vinci. I’m quite sure that even in the eyes of the EU that one would not be considered reasonable. Jokes apart, in the digital world one can apply column or table encryption on those columns which store personal data.
This is a costly exercise for digital companies be it financially, system performance and resource wise. However it is the most rewarding in terms of GDPR. Compare this to attempting to secure a house with burglar alarms, trip wires and biometric security – the works. There is still a chance that someone could get into the house unauthorised. However if within the house there is nothing to steal, that would be the ultimate troll. Encrypting the sensitive columns with a strong key does just that. Anyone who doesn’t have the key will see only garbage.
The added benefit of encrypting sensitive columns is that apart from protecting the data, you are also protecting your admins and your employees. Imagine, how easy would it be to blame a leak on your IT administrators just because they have full access to the infrastructure and the databases. Encrypting at database level would mean that even when the IT administrator goes into the database, unless they have the key, they would not be able to see the information. This protects them as much as it protects the data.
Security from external sources
Digital access control, roles and privileges these are all mechanisms used in the digital world. In the physical the security of your premises comes into play. Of course all the other layers and mechanisms mentioned above would also contribute to this layer of security. One more spanner in the works for the digital though is, who has physical access to your servers? Are they hosted onsite? In a data Centre? Who could potentially tamper with these physically?
Security from internal sources
Most of the times your employees do not have malicious intent, however we are all human and mistakes can be made. This layer is to consider what kind of controls and validations could be put in place to avoid such mistakes. A lot can be done through processes with validations and controls and that gives me the topic for my next post.
If you wish to be notified when new posts come out, drop us a note via the contact us section of the website and we’ll add you to our mailing list.