In this post, five technical measures will be explained with regard to security that play a main role in the processing of personal data in order to meet the obligations of proactive responsibility established in the GDPR. Such measures will be useful both to avoid security breaches of personal data and to minimise their negative impact on persons, in case they occur.
I. Why is it necessary to adopt security measures oriented towards the protection of personal data?
Today, data processing through electronic means is everywhere, and organisations are exposed to a series of threats within the digital background that greatly surpass security problems within the physical background. Any type of organisation may be affected. Therefore, it would be a great mistake to believe that the fact of being part to a small company or using a computer within the private sphere will release us from being a prospect objective. Any information, including personal information, stored in a computer may be subject to cyberattacks.
Now that telecommuting has become essential for many organisations due to COVID-19, the use of mobile devices has surged, and threats to the privacy of client data such as personal data of the employees are more present than ever.
In this scenario, it is very important to have a good risk management at all levels. Emphasis needs to be placed on the processing we perform by clearly identifying such processing, and the threats need to be assessed that may become a reality, as well as the technical and organisational measures that are most suitable to avoid or to mitigate negative effects. The more effective measure will always be to avoid unnecessary processing. For example, data that should not be stored, transferred or processed locally when this is not essential for the purposes sought.
II. Top 5- technical measures with regard to security
Given that privacy may be affected by confidentiality, integrity and availability incidents, we must use a combination of basic security measures to overcome such challenges.
The GDPR establishes in Article 33 the obligation to notify the supervisory authority of any security breach with regard to personal data within the first 72 hours since the breach has occurred (more information may be found in the Guide to manage and to notify security breaches published by the AEPD).
Since the obligation was established to notify security breaches affecting personal data, the AEPD, through its electronic office has registered more than 2400 security breaches, more than 400 in these last three months, which means an increase of 48 % in comparison to the same period last year. The more frequent typologies and victims may be consulted in the statistics that are frequently published. The majority of the security incidents do not entail sophisticated cyberattacks and, often, they could have been avoided or their consequences could have been minimised if a reasonable risk assessment had been performed and the basic security measures as those described below had been implemented, which are valid for any organisation regardless of the size and the scope of the organisation.
i. Use of secure passwords and second authentication factor
A good password policy needs to be established to access the systems. This policy may start by not storing passwords in unencrypted systems, the obligation to update such passwords on a frequent basis and the obligation to refrain from using them again for different services. It is advisable to read the CNN Guide on the topic.
In view of the incidents of massive password cracking, the fact of relying on a second authentication factor is needed for the more critical systems and advisable for the other systems. The use of a second factor implies that, apart from the username and the password, an additional test is needed to perform the identification, such as a biometric element, a pseudorandom code, or the submittal of a sole-use code, established for each user.
ii. Backup copies
Today, threats such as ransomware or information kidnapping are among the more extended and damaging incidents, and they usually cause the temporary or permanent unavailability of data and services.
In this case, the tools of security copies are essential to recover from the incident (Article 32.c of the GDPR). A policy must be meticulously established on how the security copies will be performed within the organisation. We highly recommend the read of this INCIBE Guide on the topic
iii. Updated systems
One of the most effective measures is to have updated systems at all times, for the manufacturers are continuously applying security patches and improvements as problems are detected. This update refers not only to the operating system of our work equipment and servers, but also to the programs we use in our devices, which must be the last version available by the manufacturer. A routine of frequent updates must be established that is documented and traceable.
It should not be forgotten that, for example, for the famous WannaCry attack, which affected millions of devices around the world, a security update by Microsoft was already available three months before the attack took place.
iv. Exposure to services on the Internet
Sometimes, in order to carry out a maintenance task, to perform tests, or to allow a one-time access, settings are applied to systems that may compromise security. These one-day solutions often go unsupervised and end up becoming final solutions, thus leaving a security whole open. By way of an example, actions such as allowing a free access from the Internet to a database or accessing a remote server are very frequent.
It is very important for organisations to define a strict policy of the services exposed on the Internet. Likewise, remote accesses must always occur through VPN systems, reverse proxy, or similarly effective measures.
v. Device encryption
A basic measure in order to ensure confidentiality of the information is to make encryption compulsory, at least for portable devices, which may be easily lost or stolen. This recommendation applies not only to portable computers, but also to telephones, tablets, USB memories, external hard drives, and security copies that are stored somewhere else. An access password to the system does not ensure the confidentiality of the content in case of theft or loss. Therefore, it is necessary to complement it with encryption. This measure is one of the measures mentioned in the GDPR in Article 32.
Another approximation to the GDPR is to apply data minimisation in the devices. This implies holding the lesser amount of personal data for the lesser amount of time in the device and only for the purposes of processing such information. This post of the AEPD blog contains more available information.
This post is part of a monograph on data breaches: