- News & Views
- Events & Publications
From what the Office for the Protection of Personal Data has published over the last weeks follows that there is some time before Compliance can be enforced with all consistency. However, with respect to that – if you have not fixed the GDPR yet, there is not any more time to delay! Fines for breach of Compliance should, according to the Office’s statement, not be liquidating but dissuasive. This is certainly a message that is not good to overlook. The office is small and has no capacity for groundless controls. Therefore, we consider it a priority to implement such technical security measures, which prevents personal data from being leaked and invoked by negligence.
We will look a little more closely at what it means in practice. It is not possible to describe all of the types and sizes of organisations and firms in this article. Let us focus on a middle-size form – production or business, 50-200 employees, where there is not massive processing of personal data –in other words, its main business is not a processing personal data, but another activity – production or business. Lawyers have a tendency to highlight the protection of the personal data from the legal point of processing, its justifiability, range and risk following from these aspects. We also find many sources highlighting the support of a technical character, so it means what to do to reduce the risk of breaking the integrity and confidentiality of processing personal data. As it happens, both views are important, one without the other is not enough to fulfil the Compliance as a whole. The responsible person for the reaching, as well as keeping, the Compliance is always the Statutory representative of the company. In principle, the person does not need any legal theory or technical details either. For that person, it is important to reach Compliance and keep it under the adequate budget corresponding with the range of processing the personal data.
Both of above mentioned points of view, can be explained on a simplified example of access control to the building. If we want to have the building secure, we equip it with technical tools (locks) and set up the processes (how one is supposed to move into the areas) and define the internal rules (where one can and where cannot go). We cover the risk by three possible ways or their combination: legally – procedurally – technically. A whole spectrum of possible solutions develops from that and we can choose for what we set up the priorities and development in time. What do I recommend on the basis of the implementation and after one month of the full operation of GDPR in terms of technology?
In the first step, I would focus on the areas, where it is possible to reach a significant level of enhancing security at a minimum expense. If we have some devices keeping personal data out of the firm’s infrastructure, it is apposable to consider turning on encryption. The operating systems of laptops and mobile phones usually offer this possibility without the necessity to buy something extra. If the device would be lost, it does not mean the loss of personal data.
The next sensitive point is the connection to the internet through a firewall. To equip this access place enough and in order for this access point to be adequately equipped and to protect us, among other things, against the loss of personal data, we absolutely recommend to choose a renowned brand or company, which specialises in this type of protection. The firewall should have cloud protection including paid support and additional services. It means it is a bigger investment, which is not too good too fast without the proper project preparation and implementation. However, there are technologies, which are included in firewalls of the new generation, but which you can buy as a service – without the necessity to buy a new device. They are responsible for protection of access to the internet (the so-called DNS), antimalware and antispam (protection against malware and protection of unwanted electronic mail). They observe the traffic and when a user tries to access to a defective or attacked website, they avoid accessing there and inform the administrator. In the same way, they are able to detect a virus or other malware or a forged e-mail. By this measure, we increase the security level in a significant way, including the protection against attack by phishing, social engineering and other dangers of data leakage including personal data. The service is charged based on monthly or annual billing without the necessity to invest into licences. Then, the implementation is quick, easy and relatively cheap.
We also recommend implementing vulnerability management systems. We all know that it is important that all devices containing any operating system are updated and properly set up. We also know that the system update itself is not enough: in Windows operating system, Acrobat Reader has to be updated as well as Internet Explorer, Flash Player, Microsoft Office and other software. Similarly, there are servers and other network infrastructure elements. A larger infrastructure usually has a large number of elements that have multiple requirements for updating the individual parts. Each one contains vulnerabilities that become a security threat for the entire system without properly updating. In addition, vulnerabilities are evolving over time. It is very difficult to keep the larger system in a safe state manually, without further support. Moreover, it is difficult for management to have control over the state of the infrastructure, and, thus, also the certainty that the Compliance that requires such vulnerability management really continues to last. Even this can be obtained in the form of a service, whether it be one-time or, better, regular, or if you purchase the product and train your experts to use it.
The above technology or any other suitable for deployment to a specific organisation is good to implement it based on a set, comprehensive information security policy not blindly. This is the only way to bring the security that management expects and which corresponds to the Compliance with GDPR for the company.
In conclusion, each company has other specific needs and intent, it manages other assets in the information infrastructure (not only personal data), each company is in a different current situation, and, therefore, an individual approach is necessary to properly understand and set all the processes in the company. And this is related to an individual approach to investment in technologies and their management.