GDPR For Small Businesses - Part 4: How to Keep Personal Data Secure

Having discussed the first three sections of the EDPB’s Data Protection Guide  for Small Businesses published to help SMEs in the EEA, we now move on to the final section, How to Keep Personal Data Secure. According to Article 32 of the GDPR, “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”

A lack of security of the personal data of individuals will have a negative impact not only on the individual whose data has been affected but also on the organization who risks having its image be degraded, losing the trust of its customers, and paying both large amounts of money to recover from a security incident and hefty fines where data protection authorities determine a violation of the GDPR applies. 

Data security has three main components: the integrity, the availability and the confidentiality of the data. Therefore, your organization should evaluate risks for the following:

1. unauthorized or accidental access to data - breach of confidentiality (e.g. identity theft following the disclosure of the pay slips of all employees of a company);
2. unauthorized or accidental alteration of data - breach of integrity(e.g. falsely accusing a person of a wrongdoing or crime as a result of the modification of access logs);
3. loss of data or loss of access to data - breach of availability (e.g. failure to detect a drug interaction due to the impossibility of accessing the patient's electronic record).

It is advisable that your organization identifies potential risk sources, taking into account both internal and external human sources, internal or external non-human sources, which in turn will allow you to  identify potential threats on supporting assets which can be used in an inappropriate manner, modified, lost, observed, deteriorated, overloaded, or made unavailable. In addition to this, you should: 

• determine the existing or planned measures to address each risk;
• estimate the severity and likelihood of the risks, based on the above elements;
• implement and verify planned measures if existing and planned measures are deemed appropriate, ensure that they are implemented and monitored;
• conduct periodic security audits: each audit should result in an action plan whose implementation should be monitored at the highest level of the organization.

In our previous post, we discussed the importance of and obligation to conduct a Data Protection Impact Assessment (DPIA), which must contain the measures intended to address the identified risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

It is important to maintain the security of the personal data and towards that end there are a series of measures that you can implement, divided into organizational measures and technical measures, as follows: 

Organizational measures

• Raise user awareness: make employees or users handling personal data (data handlers) aware of the risks related to privacy, inform them of the measures taken to address the risks and the potential consequences in case of failure.
• Document the operating procedures: any personal data processing activity, whether it concerns administrative operations or the simple use of an application, should be explained in a clear language and adapted to each category of handler, in documents to which they can refer.
• Set up an internal policy: this can be a document, which should be binding and integrated into internal regulations. The internal policy should particularly include a description of data protection and safety rules.
• Implement an information classification policy that defines several levels and requires marking of documents and emails containing confidential data.
• Make a visible and explicit statement on each page of a paper or electronic document that contains sensitive data.
• Conduct information security training and awareness sessions. Periodic reminders can be provided via email or other internal communication tools.
• Provide for the signing of a confidentiality agreement or include a specific confidentiality clause regarding personal data in contracts with employees and other data handlers.

Technical measures

• Secure equipment: it is advisable to secure: hardware, software, communication channels, paper documents, and premises.
• Secure workstations: use an automatic session lockout mechanism when the workstation is not used for a given period of time, install firewall software, use regularly updated antivirus software, limit the connection of external media such as USB sticks, external drives, to the essentials.
• Protect the company's premises: Access to the premises must be controlled to prevent or slow down direct, unauthorized access to paper files or to computer equipment, particularly servers.
• Authenticate users: To ensure that users access only the data they need, they should be given a unique identifier and should authenticate themselves before using the computer facilities.
• Manage authorizations: Differentiated levels of authorization profiles should be implemented according to needs. Users should only have access to data on the basis of the needs to know.
• Pseudonymize data: pseudonymization consists in replacing directly identifying data (name, first name, personal number, phone number, etc.) in a data set with indirectly identifying data (alias, sequential number, etc.). It makes it possible to process the data of individuals without being able to identify them in a direct way. 
• Encrypt data: Encryption is used to guarantee the confidentiality of data. Encrypted data is still personal data. As such, encryption can be considered as one of the pseudonymization techniques.
• Anonymize data: Personal data can be rendered anonymous in such a manner that the individual is not or no longer identifiable. Anonymization is a process that consists in using a set of techniques to make personal data anonymous in such a way that it becomes impossible to identify the person by any means that are reasonably likely to be used.

Example checklist for your organization 

• Inform and educate data handlers regularly about privacy related risks
• Set up an internal policy and give it binding force
• Implement data protection by design and by default
• Make sure the data processed is adequate, relevant and limited to what is necessary (data minimisation)
• Implement an information classification policy for confidential data
• Put a specific indication on documents containing sensitive data
• Conduct information security training and awareness sessions, along with periodic reminders.
• Sign a confidentiality agreement with your employees or include specific confidentiality clauses
• Provide automatic session lockout, up-to-date firewall and antivirus, backup storage for users
• Limit physical connection (USB sticks, external hard drives, etc.) to the essentials
• Protect the company’s premises (e.g. intrusion alarms, smoke detectors, protected keys, distinguished room according to the risk, authorisations to access specific areas, dedicated fire fighting system)
• Give an unique identifier to users
• Require authentication to access computer facilities
• Manage authorizations (e.g. separated profiles according to needs, unique identifier, strong passwords)
• Issue a telework safety policy
• Remove obsolete access permissions
• Carry out regular review of the authorizations
• Pseudonymize or anonymize data to limit the reidentification of individuals
• Encrypt data to prevent unauthorized access
• Install a VPN for telework
• Make sure to secure personal devices used for work (BYOD). 

In addition to these four articles we have discussed, we have prepared for you the EU GDPR Overview, which you will find in our website’s Resources section along with the other privacy regulations that Clym supports currently.