As part of its drive to ensure that the personal data of data subjects is not misused or stolen, the Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) tackles the issue of security measures very directly. Under Article 32 of the legislation, controllers and processors are required to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risks presented by the processing.
This article includes some practical tips on how best to implement certain aspects of the security principle, drawing on advice provided by the United Kingdom’s supervisory authority, the Information Commissioner’s Office (ICO). The key takeaway message is that organisations must remain vigilant against cybersecurity threats. The nature of the threat landscape is constantly evolving, hence the response must also remain agile.
Implementing the security principle
With 2,216 confirmed data breaches across 65 countries, as published in Verizon’s 2018 Data Breach Investigations Report, avoidable data security breaches are still proving all too common for companies. It is vital that data controllers and processors consider the risks presented by accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
To promote better data security within an online environment, the ICO, recently updated its advice in relation to how certain aspects of the security principle could be operationalised. More specifically, the updated ICO’s advice relates to encryption and password protection within an online environment. For the non-technical minded reader, encryption is a technique for converting data into another form which cannot be read by third parties. To use the data, the intended recipient must convert or decrypt the result back into its original form, normally based on a mathematical algorithm. By encrypting your data, you render it useless if it is stolen.
The advice from the ICO outlines several practical actions which controllers and processors can put in place to actualise the concepts of encryption and password protection. These can be summarised as follows:
You should consider whether there are any better alternatives to using passwords.
Any password system you deploy must protect against theft of stored passwords and ‘brute-force’ or guessing attacks.
There are several additional considerations you will need to take account of when designing your password systems, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.
You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption.
When storing or transmitting personal data, you should use encryption and ensure that your encryption solution meets current standards. You should be aware of the residual risks of encryption and have steps in place to address these.
It should be noted that more detailed information can be found on the ICO website.
How encryption should be implemented
Do what you may, one day you are likely to be the victim of a breach. But by encrypting your data you can render it useless. The ICO’s guidance in implementing encryption as a security measure, makes it clear to companies, that the must keep in mind some critical issues, namely:
When implementing encryption, it is important to consider four things: choosing the right algorithm, choosing the right key size, choosing the right software, and keeping the key secure.
Over time, vulnerabilities may be discovered in encryption algorithms that can eventually make them insecure. You should regularly assess whether your encryption method remains appropriate.
It is important to ensure that the key size is sufficiently large to protect against an attack over the lifetime of the data. You should, therefore, assess whether your key sizes remain appropriate.
The encryption software you use is also crucial. You should ensure that any solution you implement meets current standards such as FIPS 140-2 and FIPS 197.
Advice on appropriate encryption solutions is available from a number of organisations, including the National Cybersecurity Centre.
Going beyond password protection and encryption
Protecting your good name comes down to two things: defence and response. You should build defences that are strong enough to send cybercriminals in the direction of an easier target. But no defence is 100 per cent effective. Should an attacker get through, you need to be prepared to respond quickly and effectively.
There are several actions you can take to ensure that your company stays ahead of potential cyber threats. Verizon’s 2018 Data Breach Investigations Report makes several useful recommendations which companies should consider when seeking to reduce the threat posed by cyber-attacks.
Be Vigilant. Don’t wait to find out about a breach from law enforcement or a customer. Log files and change management systems can give you early warning of a security compromise.
Make people your first line of defence. Do your employees understand how important cybersecurity is to your brand and your bottom line? Get them on board and teach them how to spot the signs of an attack and how to react.
Only keep data on a need-to-know basis. Do you know who can see your sensitive data and systems? Limit access to the people who need it to do their jobs and have processes in place to revoke it when they change roles.
Patch promptly. Cybercriminals are still successfully exploiting known vulnerabilities. You can guard against many threats simply by keeping your anti-virus software up to date.
Don’t forget physical security. Not all theft happens online. Surveillance cameras and entry systems for restricted areas, for example, can help avoid criminals tampering with systems or stealing sensitive data.
In summary, the GDPR is the most high-profile legislation to affect the management of personal data in many years. To make good on the GDPR’s promise, regulators need to articulate clear standards and provide practical advice to help companies and individuals adapt to the new reality. Over time, this will allow a body of good practice to emerge that citizens and companies can draw upon to ensure that the spirit of the GDPR is followed.
The advice provided in relation to encryption and password protection is an example of such good practice. Companies should remember though that encryption and password protection are not always watertight and should be considered alongside other technical and organisational security measures. It is therefore highly recommended that companies conduct a Data Protection Impact Assessment to determine the most appropriate security measures to implement in any given scenario.