How far have you progressed with the security of personal data?
Watch your technique! Hopefully it has not escaped your notice: the General Data Protection Regulation (AVG) will enter into force on May 25 in the Netherlands. The regulation prescribes measures to ultimately prevent a data breach of personal data within your BV. The GDPR demands a lot from your IT systems. Which buttons should you turn?
Adapting your systems to the regulation cannot be done in an afternoon. In short, the GDPR requires every company to keep a constant eye on whether personal data is handled properly. In any case, the GDPR already entails paper obligations. For example, you must keep a register containing an overview of all processing of personal data in your Ltd.
But with paper agreements or keeping a register you do not prevent a data leak within your BV. For that you really have to be on the cutting edge. But where to start? In fact, it all starts with knowledge. You must have a clear picture of which personal data you actually process and how the information flows. The follow-up question is then: what possible security risks do those information flows and processing generate? And of course: how can I reduce it? “It starts with knowledge” also applies to your own knowledge. Anyone who delves into data security will find themselves in a forest of English terms that are abracadabra to the ICT layman. Still, it is useful to know a few basic things that can make a difference when negotiating with your IT supplier. Back to the information flows and reducing security risks.
t is useful to follow a step-by-step plan (see below) and to do a risk analysis. This should give you a clear picture of where interventions are still needed in your BV. You can then decide which bottlenecks you want to tackle yourself and what you want to outsource. In principle, updating the systems and the organization does not need to take months. However, the duration and costs of a process do depend on where your BV currently stands with data security.
Based on the analysis, you can get started, as required by the GDPR, to take “appropriate” security measures to prevent a data breach. The question is of course: what are “appropriate measures”? That remains tailor-made for every company. But if you’ve got the four areas below in order, you’ve got the most of it. Because the entire chain is only as strong as its weakest link, all categories deserve attention.
Taking steps towards good data security:
1 Make someone within your BV responsible for the protection of personal data and map out the processing of personal data.
2 Conduct an analysis of the risks that these processing activities entail, for example a “gap analysis”.
4 Record responsibilities for personal data and create awareness within your BV. Make agreements with suppliers who process personal data of your BV (processing agreement). The responsibility for the data lies with you.
5 Implement the technical advice provided by the gap analysis.
The user is the weakest link in cybersecurity. In about 45% of the data breaches that are now reported, an employee has sent an email with privacy-sensitive information to the wrong person. You can try to overcome this in part with technical interventions, such as “mobile device management” (management, security and supervision of mobile devices such as smartphones and tablets), data breach prevention and “endpoint protection”.
But perhaps even more important is awareness among employees. Awareness increases when there is regular attention to the subject, whereby very specific exemplary behavior is positively highlighted. So every employee should know: what is a data breach? How can I prevent it? And what should I do if I think there is a data breach?
Network and access security
These are the steps you can take to keep your corporate network and Internet access secure and to keep it working. So: create a barrier against hackers, malware and phishing. In IT land, these types of measures are often bundled into solutions called “unified threat management” (UTM). Such a package often includes a firewall, a virtual private network (VPN), strong authentication, programs for “intrusion prevention”, web filters (limited which internet sites a user can access) and antivirus programs. To monitor whether security is working properly, you can use a so-called security operations center. Such a system signals potential threats to your information and communication systems and defends you against them.
Your BV probably also uses a number of programs that are essential for your business operations. These applications are increasingly accessible via a company network (and also by home workers). This makes them vulnerable. Possible measures include: an application firewall, a “car wash” against DDoS attacks, strong authentication, encryption of data (encryption / decryption), but also, for example, a penetration test. And here again: awareness training for your employees.
You also need to have your affairs in order “offline”. Such as measures to secure your server room (an extinguishing system, access control). You should also prevent portable data carriers such as USB sticks from lying around unattended. However, data sharing, e-mailing and storage often takes place unsafe. Possible measures include: encryption, mobile device management, secure data sharing, registered and sealed e-mail, making backups and creating more awareness within your BV.
The GDPR forces every company to think about how it deals with personal data. The regulation involves work, and perhaps also the updating of some ICT knowledge. But it also offers opportunities to distinguish yourself. Because at a time when customers are increasingly aware of their privacy, they like to see companies that have this in perfect order.