Updated: May 17
The European Union’s General Data Protection Regulation (GDPR) comes into effect on May 25th. These apply to any organisation that holds data on EU citizens.
In Part One of our guide to GDPR we told you to calm down, and suggested that you take a look at what you need to do to comply with the new rules. In Part Two, we’ll take a look at one of the big new aspects introduced by GDPR – Security by Design.
What Is Security by design?
GDPR contains a requirement that organisations embrace “data protection by design and default”. The data protection community has dropped the “and default” only for brevity’s sake. So when we talk of security by design we mean both parts of the requirement. Britain’s Information Commissioner’s Office sums up security by design rather nicely:
“You have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.”
What this means is that security is no longer the bolt-on afterthought to how you handle data, but a core of how you consider the process.
Some security measures are things you will be doing already, like using firewalls and antivirus software on your computers. If you follow best practice you will already be encrypting files or drives that store sensitive data, as well as any data that you send by email (sending the password by a different channel, e.g. if you email the file send the password by WhatsApp). If you are not already using firewalls and encryption, now is the time to start doing so. Tools are available cheaply or for free to help you do this.
Another aspect of security overlooked by many firms is secure deletion. Files deleted from a device are not gone until the disk space they occupied has been written over with fresh information. Because of this the security guru Bruce Schneier reports of a trial where data deleted by the previous owners was recovered from 10 used cell phones. This is especially important since GDPR introduces a right for individuals to request deletion of data you hold about them. The simplest way to handle this is to use a secure deletion tool, which will automatically overwrite deleted files to the standards used by the US Department of Defence. There are several tools available, again either cheaply or for free, including BCWipe and CCleaner.
What needs to change?
There are two parts to regulations such as GDPR. First you need to comply, and then you need to be able to demonstrate that you comply.
This means that your security protocols should be stated in your data protection policy. Don’t go into details, otherwise you risk undermining them by warning hackers what they are up against. Do outline that you will for example use firewalls on all computers, devices, and servers, encrypt all stored files and use a secure deletion protocol.
‘Security by design and default’ also means that data protection should be included from the planning stages of any project, rather than as an afterthought. In the same way that you include a health and safety risk assessment, identifying hazards and how you will mitigate them, do the same for data risks. Identify what data you will be gathering, how you will store it, what you will use it for and when and how you will delete it.
Next, identify the vulnerabilities and specify what you will do to reduce or, if possible, remove the danger. Obviously there is the risk from hackers or ransomware attacks on your servers. A good quality, properly updated firewall will do here.
Next, are you going to send data? Are staff going to work from home on their own devices? Will third parties handle or use any of your data? Are your cloud providers secure?
By laying out these and taking specified steps to address them you have made your data secure by design.
This is part 2 in a 3 part mini series. See part one.