Updated: Apr 13, 2020
Companies have altered their approach when it comes to data security to comply with GDPR.
A study conducted by a website called BreachLevelIndex.com, the number of data records being stolen on a daily basis amount to approximately 5 million.
As if that’s not big enough, since 2013 up to present, there have already been a total of 9 billion+ data records that have been breached. To make things worse, only 4% of this is considered a “secure breach” with encryption where the data that were stolen were unusable. From these stats alone, it is as clear as day that there is a greater need to increase not only awareness when it comes to security but a stronger implementation as well otherwise none of us are safe!
Some notable breaches that greatly affected people and organizations range from malware, viruses, cyber fraudulence and everything in between. The National Health Services experienced identity theft during March 2017 where it affected 26 million medical records. The doctors, who originally had good intentions, were not able to foresee the potential negative consequences that will be brought by “enhanced data sharing”.
The lesson that we can all learn from these unfortunate situations is that breaches have become ubiquitous. Which is why protecting data records at all costs is needed now more than ever.
While there are no specific methods on ensuring security within the regulation, Article 32, however, provides this guideline:
TAKING INTO ACCOUNT THE STATE OF THE ART, THE COSTS OF IMPLEMENTATION AND THE NATURE, SCOPE, CONTEXT AND PURPOSES OF PROCESSING AS WELL AS THE RISK OF VARYING LIKELIHOOD AND SEVERITY FOR THE RIGHTS AND FREEDOMS OF NATURAL PERSONS, THE CONTROLLER AND THE PROCESSOR SHALL IMPLEMENT APPROPRIATE TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE A LEVEL OF SECURITY APPROPRIATE TO THE RISK, INCLUDING INTER ALIA AS APPROPRIATE.
Encryption, pseudonymization, anonymization and a whole lot more are only some of the recommended security methods to be used for compliance.
But most often than not, one aspect that most companies tend to overlook is the security of the processing specifically stated:
A PROCESS FOR REGULARLY TESTING, ASSESSING AND EVALUATING THE EFFECTIVENESS OF TECHNICAL AND ORGANIZATIONAL MEASURES FOR ENSURING THE SECURITY OF THE PROCESSING.
A major change in the current Data Protection Directive is the shared responsibility between the controller and the processor. Before GDPR, the controller was the one who is held accountable whenever a breach occurs for their failure in choosing a competent processor. While this may still exist somehow, GDPR, however, wants to hold the person that is truly responsible for the breach accountable regardless if they’re the controller or the processor. The best way to approach this is for both of them to formulate and implements a more fitting technical and organizational measure to maintain top-notch security.
A big change, as opposed to the current Data Protection Directive, is the shared responsibility between the controller and the processor. Until now, the responsibility always fell on the controller, who was responsible for choosing any processors wisely. This responsibility still exists in a certain manner. However, if the data breached is attributed to the processor they will be held responsible. That being said, both the controller and the processor must implement appropriate technical and organizational measures to ensure security.
To be compliant to GDPR when it comes to security, companies and businesses must keep these four main attributes of security controls in mind: confidentiality, integrity, availability and resilience. Having all of these attributes will ensure the durability of your company’s security and if anyone of these four lacks, failure will eventually come your way.
To fully comprehend what these four attributes represent and how they can help you be compliant with data security in the era of GDPR, let us break them one one-by-one:
Confidentiality – is limiting and identifying the people who are only allowed to access data. The best approach towards confidentiality is by determining the people who really need to process data and exclude the rest.
Integrity – is making sure that the data being kept is accurate and complete all the time.
Availability – is ensuring that all the data necessary for business transactions will be available at all times! Through this, you can guarantee that your company will be productive and will provide you with needed data should you face any problems.
Resiliency – an addition to the EU data protection law, is the ability of a company to be able to overcome and recover from any threats and / or errors that will come their way.
It is quintessential for every business to fully comprehend that security is way more than just passwords, encryption and/or MFA. Real security is the one that can endure attacks to ensure that the risks of data breaches are minimized. Security should always be the main priority and should be thought through before even processing any data. Another significant point that companies should keep in mind is the assessment of the possible risks that might or might not occur. A data protection assessment is also necessary AND recommended by the GDPR.
Doing so would help calculate the risks that might occur and the measure that one can take to help mitigate them. It is anticipating the worst and preparing the appropriate methods to prevent or at least minimize the damages.
To sum up the foregoing, it would help knowing the type of data that your company processes and why you process it. How the data is being stored and the possible impact of the processing is also a must. Concise policies that are easy to understand should also be disseminated for employees to follow accordingly – they also have a role in GDPR compliance.
Defining the access levels within your company is also appropriate and the security methods that would be of great help when a breach might occur to aid in rendering data useless. Among all of these, one thing is for sure: the most significant contribution of GDPR is its comprehensive approach to security. When compiled properly, the numbers of unfortunate breaches would eventually be lowered and corrected.