There is no doubt that the office of the DPC has moved from a GDPR guidance mode to a GDPR enforcement mode. It is hardly surprising considering the GDPR has now been in effect for over 4 years. This shift in focus is partly related to the reality that many high profile investigations are largely complete, notwithstanding the likelihood of future appeals that will take up more time. GDPR and data protection law experts, GDPRXPERT.ie, are aware of increased contact from the office of the DPC to organisations of varying size. In general, these contacts are the result of complaints from members of the public who now seem more knowledgeable about their rights under the GDPR and general data protection law. Undoubtedly, there has been a consequential increase in complaints to the DPC, most especially emanating from individuals fearing breaches of their rights. An intense and sustained GDPR awareness building programme by the DPC has been very successful, with the result individuals are very knowledgeable concerning their GDPR rights and the responsibilities and obligations of data controllers. Anecdotal evidence suggests that security of personal data processing has been a consistent element of complaints.
The very essence of any right to data protection is that a mechanism must be provided to ensure a data subject’s personal data are adequately protected. We now know that the GDPR takes a pro-active risk based approach to force the data controller to implement measures, in order to minimise risks to personal data. It is seen in Art.24(1) GDPR that the controller must implement appropriate organisational and technical measures to ensure and demonstrate compliance with the GDPR. It also stipulates constant review and updating. Data breaches rank high on the risk scale. Art.32(2) GDPR stipulates that in assessing the appropriate level of security account shall be taken in particular of the risks presented by processing, Risks are always present but, especially “ from accidental or unlawful destruction, loss , alteration , unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed”. These risks mandate a level of security appropriate to the harm that might result.
Recital 75 GDPR lays out what is a comprehensive summation of the risks that the GDPR hopes to manage. Such a list can not be an exhaustive one as data processing technology is changing and evolving all the time. We know the onus is on the controller (from Art. 24 GDPR) to determine the risks of varying likelihood and severity for the rights and freedoms of natural persons. Various risks to rights and freedoms may result from data processing that leads to physical, material or non material damages. As referred to earlier in the text, Recital 75 sets out a mixture of potential ultimate consequences. These include, in particular, where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantages. There is the potential for deprivation of many rights and freedoms and a loss of control over one’s own data. Personal data may be processed and reveal all sorts of sensitive data including health, religion, political opinion, racial or ethnic origin, genetic data and many more.
Determining these risks is aided by reference to the nature, scope, context and purposes of the processing. These criteria ,in conjunction with the knowledge of the available technology and the cost of implementation of up to date technology, aid the controller in deciding what is ‘an appropriate level’ of security. The level of security must also be balanced, in the sense that it is proportionate to the perceived/assessed risks to the rights and freedoms of natural persons. As the risk assessment determines the appropriate level of security to be incorporated into the process, it must be of a high quality and leave nothing to chance. Two very basic requirements must be met:
- Any assessment must be objective; and must
- Take account of the likelihood and severity of the risk; this has to include an assessment of the risks that arise from the personal data processing itself, and any risks that would arise in the case of an actual data breach.
Any objective assessment must at the start incorporate an analysis of the characteristics of the processing activity. Account needs to be taken of, for example;
- The origin of the data;
- Nature of the processing activity;
- The scope of the processing activity
- The context and purpose of the processing;
- The likelihood and severity of risks;
- Purpose of the processing activity ; and
- the identification of the best technical and organisational measures to mitigate such risks.
Looking at all these aspects will help the data controller establish the level of risk involved in all data processing operations. Best practice would dictate a prudent controller maintains a record that details processing operations, associated risk ( risk levels will be assessed later) and measures taken to address the risks identified. The objective risk assessment also forms part of the required information to maintain the record of processing activities under Art. 30 GDPR. Take the example below:
External payroll for employees wages
|Payroll service might have lax data protection procedures
|Measures taken to mitigate risk
|Assessment on payroll service found high data protection security in place
|No apparent risk
Somewhat ironically, the best way of assessing risks is to look at actual causes of data breaches incidents. Data controllers strive to avoid data breaches but the fact is they provide best evidence of the risks inherent in some processing operations! An assessment of these characteristics should contribute to establishing whether the particular data processing operation involves any risk or if there is a risk, whether it is high or low in nature.
The Regulation also recognizes these risks when processing personal data and places the responsibility on the controller and the processor in Art. 32(1) of the General Data Protection Regulation to implement appropriate technical and organisational measures to secure personal data. The GDPR deliberately does not define which specific technical and organisational measures are considered suitable in each case, in order to accommodate individual factors. However, it gives the controller a catalogue of criteria to be considered when choosing methods to secure personal data. Those are the state of the art, implementation costs and the nature, scope, context and purposes of the processing. In addition to these criteria, one always has to consider the severity of the risks to the rights and freedoms of the data subject and how likely those risks could manifest. This basically boils down to the following: The higher the risks involved in the data processing and the more likely these are to manifest, the stronger any security measures that are taken have to be and the more measures must be taken.
(Data controllers and data processors are also obliged to ensure that their staff and “other persons at the place of work” are aware of security measures and comply with them. The legal obligation to keep personal data secure applies to every data controller and data processor, regardless of size. While most of the information below applies to any such organisation, some aspects would only apply to a larger organisation using an IT network.
Issues that data controllers and data processors should consider when developing their security policies: ( much of the information in the next few sections below is from the DPC guidance note ‘Guidance for Controllers on Data Security’ available at www.dataprotection.ie )
A data controller has a duty to limit access to personal data on a “need to know” basis. Greater access limitations or controls should apply to more sensitive data. A data controller must be aware of the different users who access their systems/records and their requirements. The different types of users could include:
- staff at various seniority, operational or responsibility levels;
- third party contractors/data processors;
- customers; and
- business partners
The different requirements of each of these types of users has to be considered. It should not be a ‘one size fits all’ approach but rather access privileges being directly measured to meet the requirements. The nature of access allowed to an individual user should be set and reviewed on a regular basis. It should go without saying that individual staff members should, among other things, only have access to data which they require in order to perform their duties. Shared credentials (multiple individuals using a single username and passwords) should not be tolerated. Specific procedures sometimes referred to as a “movers, leavers and joiners” policy are required in all organisations with access to personal data to decide when to maintain, increase or restrict previous access where a user role changes. Access control must be supported by regular reviews to ensure that all authorised access to personal data is strictly necessary and justifiable for the performance of a function.
IT administrator accounts with unrestricted access to personal data warrant special attention. Policies should be in place in regard to vetting and oversight of the staff members allocated these accounts. A staff member with such responsibilities should have separate user and administrator accounts. Multiple independent levels of authentication may be appropriate where administrators have advanced or extra access to personal data or where they have access or control of other’s account or security data.
All organisations big and small must guard against potential downloading of personal data from the organisation’s own systems. This has to be strictly controlled. Such downloading can be blocked by technical means (disabling drives, isolating network areas or segments, etc). Many organisations have taken a decision to block access to USB ports having examined the inherent risks involved in leaving such ports open by default for all users.
Users should have a unique identifier, such as a password, passphrase, smart card, or other token, to allow access to personal data. These are just examples, not an exhaustive list; for example, a biometric (e.g. a fingerprint, voice or retina scan) can also be used as a unique identifier. However, as biometrics in themselves raise serious data protection and privacy issues, their use should only be considered where other authentication methods are demonstrably insufficient.
Passwords are a word or string of characters. A strong password should include a minimum of twelve characters (the longer the password, the harder it is for a computer to guess) and may contain one or more of the following:
- letters (upper and lower case);
- symbols (e.g. &, *, @, €, $, etc.);
- numbers ( 0 – 9 ); and
- punctuation (?, “, !).
However, users should not be required to use a mix of many types of character, as a strong password can be created using only one type of character (e.g. letters) once it is sufficiently long and hard to guess (for computers as well as people). Passwords should be reasonably easy for the user to remember but very difficult for anyone else to guess. Examples might include:
- M1_s?n, “The_^v1at#r”! (based on ‘My son, “the aviator”!’ with random characters replacing certain vowels or other letters)
- Te@m5Rb@dp@55word5 (based on ‘Teams are bad passwords’ with numbers and symbols replacing certain letters) Please do not use these examples as actual passwords! Passwords should not contain values known to be commonly-used or expected in passwords, or those which have been compromised. For example, users might be limited from using passwords which include but not limited to:
- Passwords obtained from previous breaches;
- Dictionary words;
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’);
- Context-specific words, such as the name of the service, the username, or derivatives thereof.
Passphrases are similar to passwords, but represent a sentence or sequence of words. They should include twenty characters or more and may also include symbols, numbers and punctuation marks, e.g.
- “I Love the musical, The Sound of Music 2!”
Data controllers should enforce password complexity and length, such as through rules that ensure that weak passwords and reused passwords are rejected. Users should not be required to change their password or passphrase arbitrarily (e.g. too frequently), as this can actually reduce password security (for example, by increasing reliance on simple passwords or reusing passwords). However, users should be required to change their password or passphrase if there is evidence it has been compromised or revealed, or when there is some other change in risk. Data controllers should never store users’ passwords as plain text but should use strong and irreversible cryptographic hashing and salting to protect them and to allow secure checking for login purposes. Data controllers should ensure that users are made aware that their password/passphrase is unique to them and must not be disclosed to anyone else. Shared credentials (where multiple users use the same login and password) should never be permitted. Vendor supplied defaults for system passwords and other security parameters should never be left in place. Data controllers must ensure that partner organisations with access to their systems or personal data respect these controls. Where possible, data controllers should promote password diversity by reminding users of the risks associated with password reuse across other internet services.
Multi-factor authentication (MFA) refers to there being more than one identity factor employed for access authentication. A commonly used option in many services is ‘2FA’, which means that two factors for authentication are used. For example, instead of just using a password of their choosing, a user may have a second factor such as a biometric (e.g. a fingerprint scanner), or an “out-of-band” or alternative communication channel send a passcode to a secondary email address, phone number, or device. It should be noted, however, that some of these secondary channels are more secure than others Devices such as smart cards or tokens, as well as standalone mobile apps, can be used as part of MFA, to provide authentication either by generating a code to be entered or containing a chip that authenticates with the system being accessed. They may generate a PIN number that is valid for a very short period of time. This is used in conjunction with a username and password to authenticate the user, and can reduce the risk of ‘brute force’ password attacks or attacks where passwords have been stolen.
Automatic Screen Savers
Most systems allow for screensavers to activate after a period of inactivity on a computer, requiring a password to re-establish access. This automatic lock activation is useful as the alternative manual locking of a workstation requires positive action by the user every time he/she leaves the computer unattended. Regardless of which method an organisation employs, computers should be locked when unattended. This applies not just to computers in public areas, but to all computers. It is pointless having an access control system in place if unattended computers may be accessed by any staff member, or where a shared password is used.
Encryption as a concept is explicitly mentioned as one possible technical and organisational measure to secure data in the list of Art. 32(1) of the GDPR, which is not exhaustive. Again, the GDPR does not mention explicit encryption methods to accommodate for the fast-paced technological progress. When choosing a method one must also apply the criteria catalogue above. To answer the question of what is currently considered “state of the art” data protection officers usually rely on the definitions set out in information security standards like ISO/IEC 27001 or other national IT-security guidelines.
Companies can reduce the probability of a data breach and thus reduce the risk of fines in the future, if they chose to use encryption of personal data. The processing of personal data is naturally associated with a certain degree of risk. Especially nowadays, where cyber-attacks are nearly unavoidable for companies above a given size. Therefore, risk management plays an ever-larger role in IT security and data encryption is suited, among other means, for these companies. In general, encryption refers to the procedure that converts clear text into a hashed code using a key, where the outgoing information only becomes readable again by using the correct key. This minimises the risk of an incident during data processing, as encrypted contents are basically unreadable for third parties who do not have the correct key. Encryption is the best way to protect data during transfer and one way to secure stored personal data. It also reduces the risk of abuse within a company, as access is limited only to authorised people with the right key. As with passwords, this measure is pointless unless the key to decrypt the data is kept secure.
Encryption of personal data has additional benefits for controllers and/or order processors. For example, the loss of a state of the art encrypted mobile storage medium which holds personal data is not necessarily considered a data breach, which must be reported to the data protection authorities. In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount a fine is imposed as per Art. 83(2)(c) of the GDPR.
Anti-virus software is not only required to prevent infection from the internet (either email or web-sourced) but to prevent viruses that may also be introduced from portable devices, such as memory sticks (the use of which should be strictly limited). No antivirus package will prevent all infections, as they are only updated in response to infections. It is essential that such software is updated on a regular basis and that policies support vigilance in regard to potential threats. A policy of not opening email attachments from unexpected sources can be a useful way of preventing infection.
A firewall is essential where there is any external connectivity, either to other networks or to the internet. It is important that firewalls are properly configured, as they are a key weapon in combating unauthorised access attempts. The importance of firewalls has increased as organisations and individuals avail of “always-on” internet connections, exposing themselves to a greater possibility of attack.
Patches are the latest updates from the creator of your operating system software or application software. They usually contain fixes to potential security concerns and can be an important tool in preventing hacking or malware attacks. Organisations should ensure that they have regular, consistent and comprehensive patch management procedures in place. Where possible, before installing the very latest patches, it is good practice to install these patches in a test environment to ensure that the patches do not create other issues with your systems. A record should also be kept of the date and patch installed on a system.
Where a staff member/contractor is allowed to access the network from a remote location (e.g. from home or from an off-site visit), such access creates a potential weakness in the system, not least when accessed from a wireless network. For this reason the need for such access should be properly assessed and security measures reassessed before remote access is granted. If feasible, the access should be limited to specific IP addresses. Security should be the first consideration in granting access to partner organisations.
Technical security measures, security assessments, contractual agreements in line with the requirements of the GDPR and the Data Protection Act 2018, and agreed standards of management of shared assets are all important aspects in managing this risk. It is the responsibility of the data controller to ensure that, regardless of the means by which a user remotely accesses their system, the security of the system cannot be compromised. Multifactor authentication for such access should be considered in this context.
Access to a server by means of a wireless connection can expose a network to attack. The physical environment in which such systems are operated may also be a factor in determining whether weaknesses in the system security exist. As with remote access, wireless networks should be assessed on security grounds rather than solely on apparent ease of use. Data controllers must ensure that adequate security is in place on the network through, for example, appropriate encryption measures or specification of authorised devices.
Particular vulnerabilities are associated with the use of third party unsecured WiFi networks (e.g. those provided in airports, hotels, etc.). A device using such a network may be open to attacks from other machines on the network. A good firewall should be installed on the portable device to prevent such attacks. The device should only connect to the network when necessary. When using unsecured WiFi to transmit personal or sensitive data, a secure web session should be in place to protect the data.
Laptops, USB keys, smartphones, and other forms of portable device are especially vulnerable to theft and accidental loss. Where a data controller considers it essential to store personal data on a portable device, these devices should be encrypted. Whole disk encryption should be used to mitigate against storage of files outside of an encrypted segment of the disk.
In the case of smartphones, a strong password should be required at start up and also after several minutes of inactivity. When such a device is lost steps should be taken immediately to ensure that the remote memory wipe facility is activated. Staff allocated such devices should be familiar with the relevant procedures.
Logs and Audit Trails
Access control systems and security policies are undermined if the system cannot identify abuses. Consequently, a system should be able to identify the user name that accessed a file and the time of the access. A log of alterations made, along with author / editor, should also be created.
Logs and audit trails can help in the effective administration of the security system and can deter staff members tempted to abuse the system. Staff should be informed that logging is in place and that user logs are regularly reviewed. Monitoring processes should focus not only on networks, operating systems, intruder detection systems and firewalls, but should include remote access services, web applications and databases. Logging systems can generate lots of information and an automatic means such as a System Information Event Monitor (SIEM) to filter and alert security staff about irregular audit trail entries may assist in its effective use.
An intruder detection system (IDS) acts as an internal alarm system that monitors and reports on malicious activities on a network or system. Such systems also aim to detect attacks that originate from within the system. Any organisation processing large volumes of personal data should have an IDS deployed and activated. Where alerts/events are generated by any such systems there must be a meaningful system in place to examine them in a timely fashion. This is to assist in identifying unusual activity and take immediate corrective action if there is an ongoing breach of security.
A back-up system is an essential means of recovering from the loss or destruction of data. While some system should be in place, the frequency and nature of back up will depend, amongst other factors, on the type of organisation and the nature of data being processed. The security standards for back-up data are the same as for live data.
Incident Response Plans
Even with the best designed systems, mistakes can happen. As part of a data security policy, an organisation should anticipate what it would do if there were a data breach so that it can be ready to respond. Some questions you might ask yourself:
What would your organisation do if it had a data breach incident?
- Have you a policy in place that specifies what a data breach is? (It is not just lost USB keys/disks/laptops. It may include any loss of control over personal data entrusted to organisations, including inappropriate access to personal data on your systems, or the sending of personal data to the wrong individuals).
- How would you know that your organisation had suffered a data breach? Does the organisation’s staff (at all levels) understand the implications of losing personal data?
- Has your organisation specified whom staff tell if they have lost control of personal data?
- Does your policy make clear who is responsible for dealing with an incident?
- Does your policy cover the requirements of mandatory breach reporting (where applicable) under the Data Protection Act 2018, the GDPR, and/or the ePrivacy Regulations (SI 336/2011) (including new availability and resilience requirements)?
The Human Factor
No matter what technical or physical controls are placed on a system, the most important security measure is to ensure that staff are aware of their responsibilities. Passwords should not be written down and left in convenient places; passwords should not be shared amongst colleagues; and unexpected email attachments should not be opened unless first screened by anti-virus software. Effective employee training about the risks of data compromise, their role in preventing it and how to respond in the event of problems can be a very effective line of defence. Many organisations set security policies and procedures but fail to implement them consistently. Running scenario based training sessions may assist in effective training.
Controls focused on individual and organisational accountability and ensuring that policies are carried out are an important part of any system designed to protect personal data. Identify essential controls first and ensure that these controls are implemented across the organisation without exception. Once this is in place, move on to more advanced controls designed to mitigate the risks specific to the organisation and the type(s) of data processed.
Data controllers must have procedures in place to manage staff turnover, including retrieval of data storage devices and quick removal of access permissions.
Many data breaches have a very avoidable cause. It is wise to start looking at the at the simple things before focusing on the more complex.
GDPRXpert.ie are GDPR and data protection law consultants offering expert advice on all aspects of data protection law compliance. Remember what we have just stated. The guidance and education mode from the DPC has changed and moved to enforcement.
Patrick Rowland at www.gdprxpert.ie