The implications of GDPR on IT Security.
What are the Security Principles and how do they impact on our IT Security?
There are three main principles connected to IT security and they make a lot of sense when you think about them. They are confidentiality, integrity and availability. All major IT Security measures work on these principles, so Encryption, Backups, Patch Management, Disaster Recover as well as antiviral and others will incorporate them in some way.
However, one of the most recent impacts that they have on your IT security are if you consider them with GDPR in mind.
The concept of Information Security within GDPR is known as the ‘Security Principle’ A lot of time, energy and money has been spent by businesses in relation to the implementation of the General Data Protection Regulation, although in many respects a number of the requirements were mirrored from The Data Protection Act.
As a result, there have been substantial changes in terms of technology, cybercrime, and the amount of personal data and the way it is held by companies.
Introducing Article 5(1)(f)
This concerns the “integrity and confidentiality” of personal data and states that personal data shall be:
“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”
In a nutshell this means that all of your customers’ and staffs’ details and data need to be stored securely and confidentially, meaning that no one without the correct authorisation can get their hands on it.
But what is “appropriate security”?
Some would answer “how long is a piece of string?”, however it may be easier to think about your data storage like a filing cabinet. Think about where it’s placed, can anyone access it or does one person have the key? Do they keep the key in an easily accessible drawer in their office desk or on a chain around their neck? Could someone walk into the building and just open the filing cabinet?
The amount of money and effort used by companies to achieve the security of the data is going to be related to the size and turnover of the company, the cost and complexity of the solution, and the kind of data that is being processed. A small business isn’t going to lock a filing cabinet in a metal lined vault, but a major financial institution might.
Article 32 references “assessing the appropriate level of security” So there seems to be an acceptance that what is achievable and appropriate for one company will not necessarily be achievable and appropriate for another. But easily accessible and long-standing best practice systems and processes are a good starting point.
Data protection “by design and by default”
Let’s stick with the filing cabinet. What happens when it becomes so old that it’s possible to open it with the end of a spoon? It’s probably not doing its job very well. This is where Article 25 (1-3) of the GDPR comes in.
Data Controllers are required to “implement appropriate technical and organisational measures” and “integrate the necessary safeguards”. Basically, order a new filing cabinet! From an IT Security perspective this actually means staying up to date with patch management and regular software updates, anti-viral software, network and email security and staff training to name just a few. Updating your software regularly helps to keep your data safe.
What is considered to be “Security”?
When you leave the office at night do you lock the door to the building that the filing cabinet is in? Could someone wander in with a sack barrow and walk off with it? Hopefully you have a locking door, alarm system and maybe a security guard. With GDPR you need to think about how secure your IT system is. Is the Firewall regularly updated? Are your emails encrypted? Are files password protected?
Businesses also need to remember that while information security is sometimes considered as a cyber security issue (the protection of your networks and information systems from external cyber-attack), it also covers other potential issues, such as building security, secure server rooms, fire proof safes, off site disaster recovery processes as well as making sure that any contractors you work with also follow the same procedures.
Availability of Data.
The GDPR and surrounding guidance references ‘integrity and availability of systems and services’ as well as stating “The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.”
If the worst happened and your business was hacked, how would you recover the data? Using Cloud based, regularly updated backups could be one way of solving the problem. Additionally, it is worth ensuring that members of your team know the protocol should anything on or off site happen. Remember this should include lost and misplaced devices such as phones and laptops.