The GDPR specifies that data controllers and data processors have to implement appropriate technical and organisational measures to ensure a level of security of personal data appropriate to the risk.

The following information sets out the basic precautions that should be considered by organisations processing personal data (i.e. data controllers and data processors). It does not aim to provide a full list of measures that can be implemented to protect personal data in all contexts. Data controllers and processors have to adapt these measures to the context (taking into account the state of the art, the context of the processing and the risk for individuals).

Security: what is at stake?

The consequences of a lack of security can be serious: companies can see their image degraded, lose the confidence of their consumers, have to pay large sums of money to recover from a security incident (for example following a data breach) or have their activity stopped. Secure personal data is in the interest of both individuals and the organisations processing the data.

In order to assess the risks generated by each processing operation, it is first advisable to identify the potential impact on the rights and freedoms of the individuals concerned. While organisations have to protect their data (personal or not) for their own interest, the following information focuses on the protection of individuals’ data.

Data security has three main components: to protect the integrity, availability and confidentiality of the data. Therefore, organisations should assess the risks for the following:

  1. unauthorised or accidental access to data - breach of confidentiality (e.g. identity theft following the disclosure of the pay slips of all employees of a company);
  2. unauthorised or accidental alteration of data - breach of integrity (e.g. falsely accusing a person of a wrongdoing or crime as a result of the modification of access logs);
  3. loss of data or loss of access to data - breach of availability (e.g. failure to detect a drug interaction due to the impossibility of accessing the patient's electronic record).

It is also advisable to identify the risk sources (i.e. who or what could be at the origin of each security incident?), taking into account internal and external human sources (e.g. IT administrator, user, external attacker, competitor), and internal or external non-human sources (e.g. water damage, hazardous materials, non-targeted computer virus).

This identification of the risk sources will allow you to identify the potential threats (i.e. what circumstances could allow a security incident to occur?) on supporting assets (e.g. hardware, software, communication channels, paper, etc.), which can be:

  • used in an inappropriate manner (e.g. abuse of rights, handling error);
  • modified (e.g. software or hardware entrapment - keylogger, installation of malware);
  • lost (e.g. theft of a laptop, loss of a USB key);
  • observed (e.g. observation of a screen in a train, geolocation of devices);
  • deteriorated (e.g. vandalism, natural deterioration);
  • overloaded (e.g. full storage unit, denial of service attack).
  • unavailable (e.g. in case of a ransomware).

It is also advisable to:

  • determine the existing or planned measures to address each risk (e.g. access control, backups, traceability, premises security, encryption);
  • estimate the severity and likelihood of the risks, based on the above elements (example of a scale that can be used for the estimate: negligible, moderate, significant, maximum);
  • implement and verify planned measures if existing and planned measures are deemed appropriate, ensure that they are implemented and monitored;
  • conduct periodic security audits: each audit should result in an action plan whose implementation should be monitored at the highest level of the organisation.

The GDPR introduces the notion of a "data protection impact assessment (DPIA)", which is mandatory for any processing of personal data likely to result in high risk for individuals. A DPIA must contain the measures envisaged to address the identified risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

In practice

  • In order to have a clearer view of the security risks, you can, for example, create a risk management spreadsheet and keep it regularly updated. This spreadsheet can include material and human risks related to servers, computers or premises. Sufficiently anticipated risks can help mitigate the consequences in case of an incident.

Organisational measures

Raising user awareness

It is essential to make employees or users handling personal data (data handlers) aware of the risks related to privacy, inform them of the measures taken to address the risks and the potential consequences in case of failure.

In practice

Raising user awareness can take the form of:

  • awareness sessions;
  • regular updates on procedures relevant to the functions of employees and data handlers;
  • internal communication, via email reminders, etc.

Another precaution is to document the operating procedures, keep them up to date and make them easily available to all data handlers concerned. In concrete terms, any personal data processing activity, whether it concerns administrative operations or the simple use of an application, should be explained in a clear language and adapted to each category of handler, in documents to which they can refer.

Set up an internal policy

The awareness of internal data handlers can take the form of a document, which should be binding and integrated into internal regulations. The internal policy should particularly include a description of data protection and safety rules.

Other organisational measures

  • Implement an information classification policy that defines several levels and requires marking of documents and emails containing confidential data.
  • Make a visible and explicit statement on each page of a paper or electronic document that contains sensitive data.
  • Conduct information security training and awareness sessions. Periodic reminders can be provided via email or other internal communication tools.
  • Provide for the signing of a confidentiality agreement or include a specific confidentiality clause regarding personal data in contracts with employees and other data handlers.

 

Technical measures

Secure equipment

Confidence in the reliability of your information systems is a key issue, and implementation of appropriate security measures, which the GDPR has made mandatory, is one of the ways to provide this.

In particular, it is advisable to secure:

  • hardware (e.g. servers, workstations, laptops, hard drives);
  • software (e.g. operating system, business software);
  • communication channels (e.g. fiber optics, Wi-Fi, Internet);
  • paper documents (e.g. printed documents, copies);
  • premises.

Secure workstations

The following actions could be considered when securing workstations:

  • provide an automatic session lockout mechanism when the workstation is not used for a given period of time;
  • install firewall software and limit the opening of communication ports to those strictly necessary for the proper functioning of applications installed on the workstation;
  • use regularly updated antivirus software and have a policy of regularly updating software;
  • configure software to automatically update security whenever possible;
  • encourage the storage of user data on a regularly backed-up storage space accessible via the organisation's network rather than on workstations. If data is stored locally, provide users with synchronisation or backup capabilities and train them in their use;
  • limit the connection of mobile media (USB sticks, external hard drives, etc.) to the essentials;
  • disable autorun from removable media.

What not to do

  • use obsolete operating systems;
  • give administrator rights to users who do not have computer security skills.

 

To go further

  • prohibit the use of downloaded applications that do not come from secure sources;
  • limit the use of applications that require administrator-level rights to run;
  • securely erase the data on a workstation before reassigning it to another individual;
  • in the event that a workstation is compromised, search for the source and any trace of intrusion into the organisation's information system, in order to detect whether other elements were compromised;
  • perform security monitoring of software and hardware used in the organisation's information system;
  • update applications when critical vulnerabilities have been identified and fixed;
  • install critical operating system updates without delay by scheduling a weekly automatic check;
  • disseminate to all users the proper course of action and the list of people to contact in the event of a security incident or unusual event affecting the organisation's information and communication systems.

In practice

  • Your office has an open space concept and you have many employees, but also many visitors. Thanks to an automatic session lock, no one outside the company can access the computer of an employee on break or see what they are working on. In addition, a firewall and an up-to-date antivirus protect your employees' internet browsing and limit the risks of intrusion into your servers. The more measures are put in place, the more difficult it becomes for persons with malicious intent or a negligent employee to cause damage.

Protect the company's premises

Access to the premises must be controlled to prevent or slow down direct, unauthorised access to paper files or to computer equipment, particularly servers.

What to do

  • install intrusion alarms and check them periodically;
  • install smoke detectors and firefighting equipment and inspect them annually;
  • protect keys used to access the premises and alarm codes;
  • distinguish building areas according to risk (e.g. provide dedicated access control for the computer room);
  • maintain a list of individuals or categories of individuals authorised to enter each area;
  • establish rules and means for controlling visitor access, at a minimum by having visitors accompanied outside of public areas by a person from the organisation;
  • physically protect the computer equipment with specific means (dedicated firefighting system, elevation against possible flooding, redundant power supply and/or air conditioning, etc.).

 

What not to do

    Under-dimensioning or neglecting the maintenance of the server room environment (air conditioning, UPS, etc.). A breakdown in these installations often results in the shutdown of the machines or the opening of access to the rooms (air circulation), which de facto neutralises the security measures.

    To go further

    It may be appropriate to keep a record of access to rooms or offices that hold material containing personal data that could have a serious negative impact on the individuals concerned. Inform data handlers of the implementation of such a system, after informing and consulting staff representatives.

    Also, ensure that only properly authorised personnel are allowed in restricted areas. For example:

     

    • inside restricted areas, require all individuals to wear a visible means of identification (badge);
    • visitors (technical support staff, etc.) should have limited access. The date and time of their arrival and departure must be recorded;
    • regularly review and update access permissions to secure areas and remove them as necessary.

    In practice

    • Your company is specialised in e-commerce. You hold personal data of customers hosted in servers in separate premises. In order to secure access to these data, the entrance to these premises is protected by a badge reader. However, a fire breaks out due to a short circuit. Thanks to a smoke detector, the fire department was quickly alerted and able to limit the loss of data.

    Authenticate users

    To ensure that users access only the data they need, they should be given a unique identifier and should authenticate themselves before using the computer facilities.

    Mechanisms to achieve person authentication are categorised according to whether they involve:

    • what we know, e.g. a password;
    • what we have, e.g. a smart card;
    • a characteristic specific to the person, for example the way a handwritten signature is traced.

    The choice of the mechanism depends on the context and different factors. A user's authentication is considered strong when it uses a combination of at least two of these categories.

    In practice

    • In order to access a secure room containing confidential information, you can install a badge reader (“what we have”) along with an access code (“what we know”).

    Manage authorisations

    Differentiated levels of authorisation profiles should be implemented according to needs. Users should only have access to data on the basis of the needs to know.

    Good practice for authentication and management of authorisations:

    • define a unique identifier for each user and prohibit accounts shared by several users. In the event that the use of generic or shared identifiers is unavoidable, require internal validation and implement means to track them (logs);
    • impose the use of sufficiently strong password complexity rules (e.g., at least 8 characters, upper case and special characters);
    • store passwords securely;
    • remove obsolete access permissions;
    • carry out a review on a regular basis (e.g. every six months);

    What not to do

    What not to do

    • create or use accounts shared by several people;
    • give administrator rights to users who do not need them;
    • grant a user more privileges than necessary;
    • forget to remove temporary authorisations granted to a user (e.g. for a replacement);
    • forget to delete the user accounts of people who have left the organisation or changed jobs.

    To go further

    Establish, document, and regularly review any access control policy, as it relates to the treatments implemented by the organisation, that should include:

    • the procedures to be applied systematically on the arrival, departure or change of assignment of a person with access to personal data;
    • the consequences for individuals with legitimate access to the data in the event of non-compliance with the security measures;
    • measures to restrict and control the allocation and use of access to the processing.

    In practice

    • When a new employee joins the company, you must create a new dedicated user account with a strong password. Employees should not share their credentials with each other, especially if they do not have the same accreditation. In the event that they change position, you should review their access permissions to certain files or systems.

    Pseudonymise data

    Pseudonymisation is the processing of personal data in such a way that it is no longer possible to attribute the personal data to a specific natural person without the use of additional information. Such additional information has to be kept separately and be subject to technical and organisational measures.

    In practice, pseudonymisation consists in replacing directly identifying data (name, first name, personal number, phone number, etc.) in a data set with indirectly identifying data (alias, sequential number, etc.). It makes it possible to process the data of individuals without being able to identify them in a direct way. However, it is possible to trace the identity of these individuals thanks to the additional data. As such, pseudonymised data is still personal data and is subject to the GDPR. Pseudonymisation is also reversible, unlike anonymisation.

    Pseudonymisation is one of the measures recommended by the GDPR to limit the risks associated with the processing of personal data.

    Encrypt data

    Encryption is a process which consists of converting the information into a code in order to prevent unauthorised access. That information can only be read again by using the correct key. Encryption is used to guarantee the confidentiality of data. Encrypted data is still personal data. As such, encryption can be considered as one of the pseudonymisation techniques.

    In addition, hash functions, can be used to ensure data integrity. Digital signatures, not only ensure integrity, they also make it possible to verify the origin of the information and its authenticity.

     

    Anonymise data

     

      Personal data can be rendered anonymous in such a manner that the individual is not or no longer identifiable. Anonymisation is a process that consists in using a set of techniques to make personal data anonymous in such a way that it becomes impossible to identify the person by any means that are reasonably likely to be used.

      Anonymisation, when implemented properly, may enable you to use data in a way that respects the rights and freedoms of individuals. Indeed, anonymisation opens up the potential for the reuse of data that is initially not permitted due to the personal nature of the data, and can thus allow organisations to use data for additional purposes without interfering with the privacy of individuals. Anonymisation also makes it possible to keep data beyond the retention period.

      When the anonymisation is implemented properly, the GDPR no longer applies to the anonymised data. However, it is important to keep in mind that the anonymisation of personal data in practice is not always possible or easy to achieve. It has to be assessed whether the anonymisation can been applied to the data at issue and maintained successfully, considering the specific circumstances of the processing of the personal data. Additional legal or technical expertise would often be needed to successfully implement the anonymisation in compliance with the GDPR.

      How to verify the effectiveness of anonymisation?

      European data protection authorities define three criteria to ensure that a dataset is truly anonymous:

      1. Singling out: it should not be possible to isolate information about an individual in the dataset.
      1. Linkability: it should not be possible to link separate data pieces regarding the same individual.
      1. Inference: it should not be possible to deduce, with near certainty, information about an individual.

      In practice

      • Singling out: in a database of CVs where only the first and last names of a person have been replaced by a number (which corresponds only to that person), it is still possible to single out a particular person based on other characteristics. In this case, the personal data is considered as pseudonymised and not as anonymised.
      • Linkability: a mapping database containing the addresses of individuals cannot be considered anonymous if other databases, existing elsewhere, contain these same addresses with other data allowing the identification of individuals.
      • Inference: if a supposedly anonymous dataset contains information on the tax liability of respondents to a questionnaire, and all male respondents between the ages of 20 and 25 are non-taxable, then it could be inferred that a specific respondent is taxable or not, when their age and gender are known.

      Specific situations

      Security measures for teleworking

      In the context of teleworking, it is necessary to guarantee the security of the processed data while respecting the privacy of individuals.

      What to do:

      • Issue a telework security policy or at least a set of minimum rules to be respected, and communicate this document to employees according to your internal regulations;
      • If you need to change the business rules of your information system to enable teleworking (e.g., change the clearance rules, remote administrator access, etc.), consider the risks involved and, if necessary, take steps to maintain the level of security;
      • Equip all your employees' workstations with at least a firewall, anti-virus software and a tool to block access to malicious sites. If the employees can use their own equipment, provide guidance to secure it (see "Security measures for BYOD");
      • Set up a VPN to avoid direct exposure of your services to the Internet whenever possible. Enable two-factor VPN authentication if possible;
      • Provide your employees with a list of communications and collaboration tools appropriate for remote work, which guarantee the confidentiality of exchanges and shared data. Choose tools that you control and ensure that they provide at least state-of-the-art authentication and encryption of communications and that the data in transit is not reused for other purposes (product improvement, advertising, etc.). Some consumer software can transmit user data to third parties, and is therefore particularly unsuitable for corporate use.

       

      Security measures for BYOD (Bring your own device)

      With the development of BYOD, especially in SMEs, the boundary between professional and personal life is disappearing. Even if BYOD does not represent, in itself, a processing of personal data, it is still necessary to ensure data security.

      The acronym "BYOD" stands for "Bring Your Own Device" and refers to the use of personal computer equipment in a professional context. An example of this would be an employee who uses personal equipment such as a computer, tablet or smartphone to connect to the company network.

      The possibility of using personal tools is primarily a matter of employer choice and national legislation. The GDPR requires that the level of security of personal data processed be the same, regardless of the equipment used. Employers are responsible for the security of their company's personal data, including when it is stored on terminals over which they have no physical or legal control, but whose use they have authorised to access the company's IT resources.

      The risks against which it is essential to protect your organisation range from a one-off attack on the availability, integrity and confidentiality of data to a general compromise of the company's information system (intrusion, virus, etc.).

      Example checklist

      An example of what a checklist to improve the level of security in place in your organisation could look like:

      • Inform and educate data handlers regularly about privacy related risks
      • Set up an internal policy and give it binding force
      • Implement data protection by design and by default
      • Make sure the data processed is adequate, relevant and limited to what is necessary (data minimisation)
      • Implement an information classification policy for confidential data
      • Put a specific indication on documents containing sensitive data
      • Conduct information security training and awareness sessions, along with periodic reminders.
      • Sign a confidentiality agreement with your employees or include specific confidentiality clauses
      • Provide automatic session lockout, up-to-date firewall and antivirus, backup storage for users
      • Limit physical connection (USB sticks, external hard drives, etc.) to the essentials
      • Protect the company’s premises (e.g. intrusion alarms, smoke detectors, protected keys, distinguished room according to the risk, authorisations to access specific areas, dedicated firefighting system)
      • Give an unique identifier to users
      • Require authentication to access computer facilities
      • Manage authorisations (e.g. separated profiles according to needs, unique identifier, strong passwords)
      • Issue a telework safety policy
      • Remove obsolete access permissions
      • Carry out regular review of the authorisations
      • Pseudonymise or anonymise data to limit the reidentification of individuals
      • Encrypt data to prevent unauthorised access
      • Install a VPN for telework
      • Make sure to secure personal devices used for work (BYOD)