Data Protection Officer (DPO) GDPR Personal data

Safe data everywhere

Recently an article appeared in Marketing Rendement magazine. The article written by H. Kortekaas describes how you, as a company, can best approach the entire GDPR process. After all, it is not easy to prepare for the new privacy law. Mr Kortekaas will give you a number of handles, tips, tricks and concepts. He explains cybersecurity to the layman in clear language, because they (unfortunately) also have to believe it. Read the full article below.

When the General Data Protection Regulation (GDPR) comes into effect in May, you should have your measures to prevent a data breach on the road. A requirement of the GDPR is that you take “appropriate security measures” for this. Of course, your primary concern is your own department, but of course it applies to the entire company. Therefore, you will have to work closely with the IT department. Which buttons should you turn?

The adaptation of IT systems to the GDPR cannot be arranged in a late afternoon. In short, it requires every organization to keep an eye on whether personal data is handled properly. For that you have to record many things. For example, you must keep a register containing an overview of all processing of personal data. However, you cannot prevent a data breach by keeping a register. To do that, you really need to be on the cutting edge. But where to start? In fact, it all starts with knowledge. You must clearly understand which personal data you actually process and how the information flows run.

Shrink

The follow-up question for your company is then: what possible security risks do those information flows and processing generate? And of course: how can I reduce it? It is useful to first do a risk analysis using a step-by-step plan (see below). This should provide your company with a clear picture of the interventions that are still required to get everything going. You can then decide which bottlenecks you want to tackle yourself and what you want to outsource. In principle, updating the systems and the organization does not need to take months. However, the duration and costs of a route do depend on the current state of your data security.

5 steps to good data security.
This is how you get your privacy policy on track.

Step 1. Someone must be responsible for the protection of personal data. Map the processing thereof.

Step 2. Analyze the risks of these processing operations and see what is still missing from your security, for example with the help of a gap analysis.

Step 3. Update your privacy policy. The GDPR prescribes:

“Privacy by default”
“Privacy by design”
“Data minimization” ie: do not collect more data than necessary.

Step 4. Create awareness and establish responsibilities . Make agreements with suppliers who process personal data of your organization; they remain your responsibility.

Step 5. Implement the technical advice provided by the gap analysis.

Before we continue with this article: Just a little IT dictionary !

Anyone who delves into data security ends up in a forest of English terms
which are abracadabra to the ICT layman. Still, it is useful to know a few basic terms
.

-DDoS attacks
A ‘Distributed Denial of Service’ attack is a cyber attack in which a lot of traffic is sent to computer networks or servers, causing them to crash . A “car wash” means that suspicious internet traffic is detected and redirected to specialized anti-DDoS equipment. It “cleans” the traffic and returns it clean.

-Endpoint protection
A strategy in which security software is installed on so-called “endpoints”, that is, on any device that connects to the corporate network. For example laptops or smartphones. A central server checks whether the device that wants to connect is also authorized and up-to-date.

-Gap analysis
Analysis to determine the differences between the current and desired state of
your systems and business processes. This analysis not only provides the gaps (“gaps”),
but also clarifies what you still need to do to meet the requirements (and
close the gaps).

-Penetration Test
A simulated attack approved by you on one or more selected IT
systems to determine how vulnerable they are. An IT security consultant performs the penetration test.

-Strong authentication
The principle that you have access based on “something you know, have or are”. For example a password plus a code that is generated by a token,
an app or a fingerprint.

-Virtual Private Network (VPN)
A secure private network between home and mobile workers and the office and
between the headquarters and branch offices. As a result, a hacker cannot enter your connection, allowing you to work remotely safely

-Switch

Based on the analysis, the company can take – as required by the GDPR – “appropriate” security measures to prevent a data breach. The question then, of course, is: what are “appropriate measures”? That is tailor-made for every company. But once the following four areas are in order, you’ve got most of it. Because the entire chain is only as strong as its weakest link, all categories deserve attention.

User security
The user is the weakest link in cybersecurity. In about 45% of the data leaks that are now reported, an employee has sent an email with privacy-sensitive information to the wrong person. You can partly overcome this with technical interventions, such as “mobile device management” (management, security and supervision of mobile devices such as smartphones and tablets) and “endpoint protection”. But perhaps even more important – and certainly also in your own department – is awareness. It increases when you regularly pay attention to the subject, positively highlighting very specific exemplary behavior. Every employee must therefore know: what is a data breach? How can I prevent it? And what should I do if I think there is a data breach?

Network and access security
Your company must also take steps to ensure that the corporate network and
Internet access are secure and continue to function securely. So a protective wall must be built against hackers, malware and phishing. In IT land, these types of measures are often bundled into solutions called “unifed threat management” (UTM). Such a package often includes a frewall, a virtual private network (VPN), strong authentication, “intrusion prevention” programs, web filters (limit the Internet sites a user can access) and anti-virus programs. A so-called security operations center can monitor whether security is working properly. Such a
system identifies potential threats to your information and communication systems and defends you against them.

Application Security
Does the marketing department use special applications that are essential to business operations? Assuming that these can be accessed (remotely) via a company network, they are vulnerable. Possible measures against this are an application crash, a “car wash” against DDoS attacks, strong authentication, encryption of data (encryption / decryption), but also a penetration test. And here again: awareness of colleagues.

Data security
Your company must also be “offline” in order. Think of measures to secure the server room (an extinguishing system, access control). For example, you can prevent portable data carriers such as USB sticks from lying around unattended. Also ensure the secure sharing, emailing and storage of data in your department. Possible measures for this are encryption, mobile device management, secure data sharing, registered and sealed e-mail, making backups and of course creating more awareness.

Tackle

The GDPR forces every marketer to think about how the department deals with personal data. The regulation entails work,
and perhaps also the updating of some ICT knowledge. But it also offers opportunities to distinguish yourself. Because now that customers are increasingly aware of their privacy, they also like to see companies that have that right down to the last detail.