Article written by Florence BONNET @CILCONSULTING with the participation of Davy DOUHINE [1], Expert in IT Security)
Data security constitutes an essential part of the General Data Protection Regulation[2]. Data controllers and data processors cannot strive to be compliant without adopting personal data security measures.
Deliberate violations of personal data security, as well as negligence, is punishable by administrative fines that can reach up to €10M or 2% of the total worldwide annual turnover of the preceding financial year. The degree of responsibility shall depend notably on the technical and organizational measures implemented in virtue of the “Data Protection by Design” principle and the data security principles.
However, in spite of the real risk of the previously mentioned administrative sanctions and of the cyber-criminality threat, the large majority of organizations have not yet implemented even the most basic security controls[3]. Unfortunately, numerous organizations still do not see the seriousness of data security.
The GDPR’s confidentiality and security obligations do not only cover data processed, but also the “utilized equipment” and the unauthorized use of said data and equipment. In sum, these obligations form the pillars for the overall obligation to secure the information system.
Article 5 provides that the data must not only be protected against any unauthorized or illegal processing, but also against any loss, destruction or accidental damage.
The GDPR also indicates that during the elaboration, the conception and the selection of the use of different applications, services and products that process personal data, product manufacturers, service providers and application developers must integrate the right to personal data protection at the elaboration and conception stages of such products, services and applications[4].
- Misconduct such as negligence or accidental harm may constitute violations to the data security obligation.
- Data integrity and confidentiality must be guaranteed by means of the appropriate technical or organizational measures which are adapted to each context.
- Data security needs to be integrated by default and at the design stage into the products, services and applications.
Who Is Responsible for Data Security?
Data controllers now share the personal data security obligation with data processors.
The data processor must provide guarantees regarding their specialized knowledge on security measures.
Furthermore, each data controller and/or their EU representative (if the data controller is established outside the EU) must describe within their data processing register the technical and organizational security measures for the data processing activities
Finally, the GDPR specifies that the data controller must demonstrate the “efficiency” of said measures.
What Does “the Appropriate Technical and Organizational Measures” Mean?
In regard to this notion, Article 32 of the GDPR is more precise than the Directive 95/46/EC which was transposed into French law by the French Data Protection Act of 6 January 1978.
On one hand, the measures depend on the state of the art and the cost of implementation.
These measures include, amongst others, and which must be adapted according to the needs of each organization:
- the pseudonymization and encryption of personal data, which are used to limit the risk for individuals and to comply with the Data Protection by Design and by Default principles.
Pseudonymization is a technique that allows an organization to process personal data without the data being attributed to any specific person without the help of additional information. The additional information must be retained separately in a secured manner to avoid any re-identification of data subjects.
In this regard, the GDPR states that multiple pseudonmyisation measures should be possible within a single data controller, as long as they provide a general analysis.
Encryption is designed to render data unintelligible to external entities outside of the data processing. Only authorized entities (people, machines) may be able to decrypt the data to access the content in plain language. End-to-end encryption, for example, protects and ensures data confidentiality. However, all encryption solutions are held on equal ground. Because the strength of the computation technique are constantly evolving and because of an acceleration of research into their weaknesses, organizations must be evaluate which solution is correct for their particular situation[5].
- measures ensuring the confidentiality, integrity, availability, and constant resilience of information systems and data processing services,
- measures allowing organizations to reestablish the availability and access to personal data in a timely manner for cases of physical or technical incidents;
- procedure designed to test, analyze and evaluate regularly the efficiency of the technical and organizational measures implemented to ensure the security of the data processing.
The organization must thus plan frequent security audits to verify the organizational security, the business continuity plan and disaster recovery plan, as well as to carry out technical tests (vulnerabilities audits and penetration tests[6]…).
The guidelines and best practices regarding the information security management[7] as well as the recommendations from recognized organizations such as the ANSSI[8], the OWASP[9] or the ENISA[10] for example provide tools to know and understand the state of the art.
The implementation of an approved code of conduct or a certification mechanism may also serve as proof for demonstrating compliance with these requirements.
On the other hand, the appropriate measures depend on the nature, the scope, the context, the purposes and the risks regarding the data processing.
The risks are evaluated in regard to the rights and liberties of physical persons. The said risks are the notably the result of the destruction, loss, alteration, unauthorized disclosure of transferred personal data; the conservation or processing of said data for a different purpose; or the unauthorized, illegal or accidental access to said data that may lead to physical damages, material damages or harm to data subjects.
Such is the case when the processing activity could result in discrimination, theft, identity theft, financial loss, harm to one’s reputation, disclosure of confidential data that is protected by professional secrecy, unauthorized reversal of pseudonymisation procedures, or any other important economic or social harm.
The same applies for cases where data subjects may be denied their rights and liberties or lose their control over the use of their personal data; when the data processing covers a large quantity of sensitive data or vulnerable persons; or also when the personal aspects of individuals are evaluated for individual profiling purposes.
The risks are methodologically assessed according to the degree of probability and gravity. The CNIL recommends organizations use the EBIOS method which has been adapted to personal data protection. However, entities may use others methods such as the ISO 27005.
Cyber-Security services and automatized data processing stored in the cloud.
In the GDPR’s recitals, it indicates that the data controller has a legitimate interest in processing personal data to block unauthorized access to electronic communication networks, and to stop the distribution of malicious codes, ward off attacks by “denying service” and avoiding damages to electronic communications information systems.
This data processing must, however, comply with the data protection principles. It must be strictly necessary and proportionate; the individuals must be informed; and the processing must not result in the transferring of personal data outside the European Union without the accompaniment of an approved legal framework.
Cyber-security services stored in the cloud are indeed highly in fashion[11].
Given the quantity of generated logs, organizations may utilize innovative tools giving them the ability to process the logs on the fly to correlate the data. These tools are generally reserved to companies which already have a relatively mature operational security. It is also possible to subcontract this type of service. In any case, it is necessary to take into consideration the risks that this processing implies for the protection of personal data. Certain products are developed entirely in France in partnership with research centers and can be used in mode SaaS with the possibility to store the data in France.
The software “Threat intelligence” are also highly utilized in larger entities, as well as software conducting high level data analyses (“Big Data Analytics”) to respond to data incidents by understanding how, by who, and when were the data used.
These products process high volumes of nominative data, information regarding individuals’ behavior, sometimes even pieces of communications (e-mail headings, telephone or instantaneous communication metadata), or even geo-localization data. In general, all or part of the data is analyzed in the “cloud”, and often outside of the European Union. As is the case for any type of big data processing utilizing personal data, it is necessary to assess the risks inherent to each type of processing.
Security Requirements impose the implementation of a continuous improvement approach
Such an approach demands sufficient time and requires the early assessment of budgetary choices.
Organizations must, thus, adopt without delay a certain number of measures such as:
- Raise the awareness of staff members, sub-contractors, IT teams, the board of directors, and the developers to the fundamental principles of data protection and to the human vulnerabilities linked to social engineering;
- Define roles and responsibilities with the internal services and/or with the help of professional services;
- Analyze the risks inherent to the personal data processing activities;
- Define the appropriate measures to be adapted to the risks;
- Comply with the principles of defense-in-depth to protect each element of the chain;
- Document the policies and procedures;
- Structure a team responsible for the operational security;
- Verify, correct and improve.
[2] Règlement 2016/679 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
[3] Source ENISA
[4] Application of the “Data Protection by Design” principle
[5] http://www.ssi.gouv.fr/guide/cryptographie-les-regles-du-rgs/
[6] http://randorisec.fr/a-few-tips-on-burp-suite-and-web-application-penetration-testing/
[7] Example: L’ISO 27002 : 2013 provides guidelines for organizational standards regarding information security and best practices for information security management.
[8] National Agency for the Security of Information Systems
[9] Open Web Application Security Project
[10] European agency tasked with network and information security
[11] Real-time monitoring and analytics, advanced authentication and identity and access management.
