GDPR (15) Measures to protect personal data
In the previous instalment of this blog, we discussed the importance of an impact assessment. The size of each risk determines which protection measures are needed. In this instalment we discuss the actual measures to be taken. Obviously a small organisation will not tackle matters in the same way as a large company. That said, a brief introduction to the framework of a system such as ISO 27001 is useful since you need to follow the same reasoning and logic.
The first aspects covered by ISO 27001 relate to policy and organisation. You need to formulate the starting points of your policy. This can be done in as little as two sentences. The use of personal data must be legal and have a legitimate purpose. You must also ensure the data are adequately protected. The general manager is responsible for shaping policy in this area. Although the general manager may delegate this task, he or she remains responsible and must also assess the policy’s effectiveness every year.
The next aspects relate to measures in various areas that need to be taken in one way or another by all businesses and organisations, regardless of their type.
- Employees (screening / training and awareness / former employees)
- When recruiting employees, pay attention to the candidates’ sense of responsibility.
- If you process sensitive data, ask for a list of previous convictions (you will also have to treat this as sensitive information!).
- Include a confidentiality clause in your employment contracts. This may take the form of a simple sentence, such as: ‘All personal data that you use in your working environment are confidential and may be used only for the task you have to perform.’
- Ensure your employees (and you) are given training relating to data protection on a regular basis.
- Make sure that former employees no longer have access to data and do not hold on to any business assets (including data on paper or in a digital format).
- Classification and use of assets
- Keep records of data processing operations and supplement these records by performing a risk assessment.
- Take care with removable media (e.g. memory sticks containing data) and devices that are to be scrapped. Take steps to prevent data from falling into the wrong hands.
- Access rights
- Ensure that your passwords are sufficiently complex and keep them strictly private.
- Allow your employees to access only the information they require to perform their work. Use job categories for this purpose.
- Restrict administrator rights in systems to authorised persons only.
- The GDPR specifically mentions data encryption as a protection measure, and it is certainly advisable to use encryption when exchanging data or storing it for long periods of time.
- Examples include the use of the HTTPS protocol on websites, the SFTP protocol for data transfers, and e-mail encryption.
- An IT partner may provide assistance. Do not forget to reach proper agreements with your IT partner so that it does not present a new security risk.
- Physical security
- Turn on your PC’s screensaver when you are not at your desk.
- Do not leave any documents lying around at the end of the working day (clean desk policy).
- Develop a key plan for desks and cupboards.
- You might require gates, an alarm system, camera surveillance or a badge system, and perhaps separate zones within your buildings.
- Protect your equipment against power cuts. Take steps to prevent mechanical failures.
- Always accompany visitors and provide them with confidentiality guidelines.
- Pay additional attention to rooms containing sensitive data, such as server rooms or archives where confidential dossiers are stored.
- Network security
- Use a firewall, virus protection and content filtering to protect your network against external risks.
- Divide larger networks into zones. Take steps to prevent system failures. Monitor and log network activity.
- Security measures to be taken when developing applications or systems
- Separate the test environment from production and develop rules for transferring data.
- Always consider security and perform tests before bringing systems into use.
- Monitoring processing operations by third parties
- Reach contractual agreements on security and data protection with your suppliers.
- Assess the operations of your suppliers and follow up your assessments on a regular basis.
- Ensure proper maintenance and deduplication to reduce the risk of system failures.
- Back up data and draw up a system recovery plan for use when serious problems arise.
- Incident management
- Record all incidents that expose you to the risk of data privacy violations.
- Any data breaches that may have an impact must be reported.
- Check your security is adequate and have it evaluated.
Although the measures in this list are obviously examples, and every organisation will handle implementation in a slightly different way, you can use the list to help you identify all the areas in which you can actively reduce risks. We will take a closer look at some of these areas, to which the GDPR pays special attention, in the upcoming instalments of this blog. These include monitoring subcontractors and other third parties, and what you need to do in the event of a data breach.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).
If you have any questions or comments, please write to us at firstname.lastname@example.org.