The General Data Protection Rule (GDPR) came into effect in May 2018. We touched on the GDPR in one of our earlier blog posts in terms of what it means for your business. In this blog post, we revisit GDPR but look at it from a security perspective. Specifically, we cover the following topics:
- A brief recap of GDPR
- Why be concerned about data security?
- What do you need to protect?
- Organizations and Technical Measures to consider
Recap – What is GDPR?
Before we dive into the security implications of the GDPR, first a quick recap and definition of the GDPR!
The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to data subjects over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Understanding whether you are processing personal data is critical to understanding whether the GDPR applies to your business activities. Personal data is information that relates to an identified or identifiable individual. What identifies an individual can include, but is not limited to the following:
- a name
- unique number
- IP address
- cookie identifier
- zip code
GDPR, Security, and its Implications Click To Tweet
If it is possible to identify an individual directly from the information you are processing, then in regards to GDPR, that information can be considered personal data.
Why be concerned about data security?
With the likes of the Facebook/Cambridge Analytica scandal and other such stories, it’s important for businesses to make data security a priority. Poor information security procedures can leave your business at risk, not to mention causing potential distress or in the worst-case scenario – put lives in danger!
Some examples of harm that can be caused due to the loss or abuse of personal information can include, but are not limited to:
- identity fraud
- fraudulent bank or credit card transactions
- mortgage fraud
- newly released offenders from vigilantes
- court witness intimidation
- hyper-targeting of people using compromised data (which can be highly convincing)
Now that we’ve recapped on what GDPR is and why data security should be on your list of priorities, it’s time to look at what aspects of data processing you need to protect.
What do you need to protect, and what level of security is required?
The GDPR goes beyond the way you store or send personal data – it also covers every aspect of your data processing. Because of this, any security measures that you deploy need to ensure that:
- Data remains accessible and usable. For example, if data is accidentally lost, destroyed or altered, you need to be able to recover it to prevent any potential distress to the individuals concerned
- The data you hold must be accurate and complete in relation to why you are processing it
- Data can only be accessed, amended, disclosed or deleted by those who have authorized access to do so
Whilst the GDPR doesn’t explicitly define the security measures you need to have in place, it does require that you have a level of security that is appropriate to the risks presented by your data processing. Really, there is no “one size fits all” approach to ensuring that your business is GDPR compliant.
As such, “appropriate” measures will depend on your businesses own unique set of circumstances. Assess the landscape of your business, consider the scope, context, and purpose of your data processing.
Review the personal data that you hold, how you use it as well as the impact or distress that could be caused if the data was compromised. Other important factors to consider can include:
- The number of staff that you employ
- Personal data held by a data processor acting on your behalf e.g. do you submit user data to social media APIs?
- The size of your computer network (geo-locations?)
Organization Measures to Consider
An important, and probably one of the first organizational measures you should take to ensure your business is GDPR compliant is to deploy an information risk assessment. The results of this risk assessment will probably result in additional organizational changes and possibly even culture changes to your business. No more casually sharing USB drives without following your new GDPR compliant processes!
Assigning an employee that has overall responsibility for information security is a step in the right direction and depending on the size of your business, you may decide to assign a Chief Data Officer.
Processes should be implemented and shared among your business to ensure that employees know what to do in the event of a data breach, and who to escalate matters to.
Technical Measures to Consider
When considering technical measures to consider in the IT world, this typically falls into two categories – cybersecurity and securing of physical premises or equipment. Depending on the sophistication of your systems and technical expertise of your staff, you may even need to enlist the services of a security expert. Some of these measures, include, but are not limited to:
Cyber Security Measures to Consider
- System security – how secure is your network or information systems that process personal data?
- Data security – how secure is the data you hold? For example, ensure that appropriate access controls are deployed, and that data is held securely
- Online security – for example, if you run a SaaS platform, is your website or web service secure?
If it is possible to identify an individual directly from the information you are processing, then in regards to GDPR, that information can be considered personal data. Click To Tweet
Physical Measures to Consider
- How well protected are your physical premises? Do you have alarms or CCTV?
- How is access to your premises controlled?
- How to do you dispose of electronics waste, for example, printouts?
- How are mobile devices such as company phones or laptops secured?
In this blog post, we’ve looked at the GDPR and the implications it can have on your business from a security perspective.
At the end of the day, your businesses need to ensure it has adequate cyber and physical security measures in place that are appropriate to the size of its network and information systems. From a commercial perspective, you should consider the costs of implementing technology that will help you become GDPR compliant.
Only implement measures and procedures that are appropriate to the activities of your business. For example, if you let staff work remotely, deploy measures that ensure data security isn’t compromised whilst they work from their home office.
Take the time to cover the things we’ve discussed in this article and you’ll be on your way to becoming GDPR compliant!
Here at Growth Acceleration Partners, we have extensive expertise in many verticals. Our integrated nearshore and onshore business model helps keep costs down while maintaining the same level of quality and professionalism you’d experience from an onshore development team.
Our Centers of Engineering Excellence in Latin America focus on combining business perspective with development expertise to help your business scale and become sustainable. We can provide your organization with resources in the following areas:
- Software development for cloud and mobile applications
- Data analytics and data science
- Information systems
- Machine learning and artificial intelligence
- Predictive modeling
- QA and QA Automation