GDPR for Dummies — Vol. 3
GDPR. Christmas comes early this year as we have taken upon us to read 88 pages of lawyer nonsense and provide you with some of the basic information you need to be prepared for when The General Data Protection Regulation enforces. During the coming weeks, we will present to you an advent calendar of GDPR-articles, with this being the third. Read the first and the second here and here.
Step #3 — Security
Alright! Two weeks ago we introduced you to the basics of the GDPR and we encouraged you to get an overview of the data you process. Last week, we urged you to create a transparent archive and alter the way you collect consent. This week we will take a look at the security measures you have to take. Remember, if you are a controller, you have the responsibility to check if your data processors are compliant.
If you have a board or an executive manager, it is their responsibility to take security measures and develop a code of conduct for the company. A secretary from the HR-department will not have the legal responsibility — the board will. Make sure that data protection is scheduled to be a talking point at board meetings at least twice a year, and that you record it in the minutes. It is very important that you are able to prove, that you are doing your best to avoid breaches.
If your core activity is data processing (in which case we will recommend you to look for information elsewhere), you have to make a DPIA (Data Protection Impact Assessment) which is an analysis of the security consequences of your new data processing. If your evaluation indicates that your data processing involves a high risk, a consultation of supervisory authority should take place. Even though this is not mandatory for you, you should still consider this a very useful approach. Analyse, decide, record — this is a brilliant way to become more conscious about personal data.
Make a well-documented plan
Make a breach notification system
Make sure that your data processors are compliant by May 2018
Security
Before we go into detail, let us just make one thing clear: Everything can get hacked. Kept digitally, data will always be vulnerable to Putin’s army of hackers and kept physically, intruders can (potentially) look into your binders even if they are kept in a Franz Jaeger. There is no way you can be 100 % percent sure.
For this reason, you have to minimize the data you process and adopt what the European Union calls a risk-based approach.
The regulation states that data controllers must “implement appropriate technical and organisational protection measures”. You shall take all state of the art solutions into account. These solutions change over time, so it is impossible to say something conclusive about this matter, but Gmail-accounts (do you remember Hillary Clinton?) and USB-sticks might not be considered secure storage spaces if the personal data is not encrypted.
If you prefer to keep all your documents on old-school paper, you have to lock them up in order to limit access. When you erase data, you have to shred, burn or dip the paper in acid so that no one can access the data afterwards.
Computers need an updated firewall and a virus-control installed. Note also, that passwords should be controlled at least once a year and access should be limited. These, of course, are quite obvious security measures.
It would be a good idea to use logging to monitor who sees what data when. This will prevent some from curious intruders and make you aware of breaches. Systems that are able to track certain patterns and abnormal traffic (Like five new Moscow-based readers) could be a good idea.
Breaches in GDPR
Breaches of security leading to accidental or unlawful destruction, alteration or unauthorized access have to be followed by a notification to the data subject.
The breach notification will become mandatory if a data breach is likely to result in a risk for rights and freedom of individuals. The notice must be done within 72 hours of having become aware of the breach.
If there is a high risk the notification has to be done without any delay.
Privacy by design (or by default)
Privacy by design calls for the inclusion of data protection from the onset of the designing and engineering of systems. Systems should be designed so that controllers only hold and process data absolutely necessary for the completion of their duties.
Imagine yourself as the data subject. You need to be able to comprehend who is holding your data, you should be conscious of when data is collected. You shall have a choice and be able to give both consent and confinements. It has to be done in the right context and have consistency.
When using technological solutions you shall make sure that they only process and hold the necessary data and that it is easy to delete. You should make sure that the technological solutions are doing their best to be prone to intrusion and that access is restricted to as few as possible — meaning a few named individuals.
GDPR encourages pseudonymization since data that will not make a person identifiable should be okay to process. But… the GDPR also states that: “Pseudonymization is not intended to preclude any other measures of data protection”.
Comrades! We will be back with Step #4 of our GDPR Advent Calendar next Sunday. Next time is Christmas and that calls for…
You guessed it: A SURPRISE!