In this blog, we share insights into the technical areas we often analyse for our clients in the private and public sector for the GDPR implementation, such as:
- Assessment of data flow, transfer, and sharing
- Assessment of data storage, retention, and deletion
- Assessment of access control and security
- Assessment of access procedures, policy, and legal contracts
Assessment of Data flow, transfer and sharing
Data is generally transmitted/received through either a push model (data-driven) or a pull model (demand-driven).
Characteristics of the push model are:
- data is transmitted without a request from the receiving side making the sender the active component
- the receiver side may not be able to control or validate the content of the disseminated data
Characteristics of the pull model are:
- the sender side passively waits for a request from the receiver side now considered the active component
- the receiver side has the control over the content of data received
While concerns for the GDPR implementation are effectively the same for both models, there are specific risks more likely to appear if using a push or a pull model that system developers need to remain cognizant of, especially when data is being transferred from a data controller to a data processor.
For the push model a primary risk is that the controller pushes the wrong data; whether not conforming to legal processing requirements or pushing data in the wrong format (i.e., plain text data instead of anonymised/pseudonymised data).
For the pull model, organisations need to ensure that a processor cannot access or process data that falls outside their controller-processor contract by using privacy by design technical measures.
Assessment of data storage, retention, and deletion
Data is generally stored using a combination of different database technologies such as
Typically, the design of these databases is based on the business purposes such as:
- processing requirements (real-time/batch)
- access speed (read/write)
- storage requirements (permanent/temporarily)
Another element is data management in terms of backup, retention, and deletion which could be made either time-dependent (minutes, hourly, daily, monthly, yearly) or rule-based (consent, opt-in/opt-out, receiving of updated data).
Information on such storage, retention and deletion requirements are required for completion of Data Protection Impact Assessments when producing the systematic description of the system under examination. It is also valuable information when assessing complex questions around the linkability of data which feeds into the ability to de-anonymise individuals by combining data stored in disparate databases.
Assessment of access control and security
Data on a cloud/server is generally accessed remotely through different security protocols such as:
- Secure Socket Shell (SSH) which uses public-key cryptography for authentication
- Two-Factor Authentication (2FA) requiring a password and a time-sensitive code sent to a mobile device
Another element to assess is the access management, e.g., removing access to staff that have left, limit access to specific roles or allow access on a time-limited basis.
Such security controls feed directly into the GDPR requirements to integrate appropriate technical security measures to protect data and mitigate the liability of the data controller when (not if) they suffer a data breach.
Numerous national Data Protection Authorities have specified that they will use the GDPR as a lever to improve the information security profile of businesses within their jurisdiction.
Assessment of access procedures, policy, and legal contracts
An essential component of an organisation’s information security arsenal is their compliance documents, including policies and procedures.
These need to be maintained and be both enforced and enforceable. Assessing an organisation’s GDPR compliance requires examining existing policies and procedures and updating as necessary.
Specific risks and mitigation actions:
- existing legal procedures between existing controllers and processors of data
- ensure sufficient clauses that clearly set out the relationship between controllers and processors
- processors must never be placed in a position whereby they are determining the purposes and means of the use of personal data
Read about our Data Governance for more information.