An article in the magazine Office Rendement:
The IT systems play an important role in your preparation for the GDPR. You must ensure that personal data is safe within your organization. And technology is the way to achieve that. May 25 is the day, so now check the systems for personal data security, so that the dots are always on the ‘i’.
The adaptation of IT systems to the GDPR cannot be arranged in a late afternoon. In short, it requires every organization to keep an eye on whether personal data is handled properly. For that you have to record many things. For example, you must keep a register containing an overview of all processing of personal data. However, keeping a register does not prevent a data breach. To do that, you really need to be on the cutting edge. But where to start? In fact, it all starts with knowledge. You must have a clear picture of which personal data you actually process and how the information flows run.
The follow-up question for your company is then: what possible security risks do those information flows and processing generate? And of course: how can I reduce it? It is useful to first do a risk analysis using a step-by-step plan (see below). This should provide your company with a clear picture of the interventions that are still required to get everything going. You can then decide which bottlenecks you want to tackle yourself and what you want to outsource. In principle, updating the systems and the organization does not need to take months. However, the duration and costs of a process do depend on the current state of your data security.
5 steps to good data security.
Step 1. Someone must be responsible for the protection of personal data . Map the processing thereof.
Step 2. Analyze the risks of these processing operations and see what is still missing from your security, for example by using of a gap analysis.
“Privacy by default”
“Privacy by design”
“Data minimization”, in other words: do not collect more data than is necessary.
Step 4. Create awareness and establish responsibilities . Make agreements with suppliers who process personal data of your organization; these remain your responsibility.
Step 5. Follow the technical advice provided by the gap analysis.
The ABC of security under the General Data Protection Regulation
‘It starts with knowledge’ also applies to your own knowledge. Anyone who delves into data security ends up in a forest of English terms
that are abracadabra to the ICT layman. Nevertheless, it is useful to know a few basic terms
that can make a difference when negotiating with your IT supplier.
A Distributed Denial of Service attack is a cyber attack that sends a lot of traffic to computer networks or servers, causing them to crash. A “car wash” means that suspicious internet traffic is detected and redirected to specialized anti-DDoS equipment. It “cleans” the traffic and returns it clean.
– -Endpoint protection
A strategy in which security software is installed on so-called ‘endpoints’, i.e. on any device that connects to the corporate network . For example laptops or smartphones. A central server checks whether the device that wants to connect is also authorized and up-to-date.
Analysis to determine the differences between the current and desired state of
your systems and business processes. This analysis not only provides the gaps (‘gaps’),
but also clarifies what you still have to do to meet the requirements (and
close the gaps).
A simulated attack that you approved against one or more selected IT
systems to determine their vulnerability. An IT security consultant will perform the penetration test.
The principle that you can access based on ‘something you know , have or are ‘. For example a password plus a code generated by a token,
an app or a fingerprint.
-Virtual Private Network (VPN)
A secure private network between home and mobile workers and the office and
between the head office and branch offices. As a result, a hacker cannot penetrate your connection, allowing you to work remotely safely.
Based on the analysis, the company can handle started with – as the GDPR prescribes – ‘appropriate’ security measures to prevent a data breach. The question then, of course, is: what are “appropriate measures”? That is tailor-made for every company. But once the following four areas are in order, you’ve got most of it. Because the entire chain is only as strong as its weakest link, all categories deserve attention.
The user is the weakest link in cybersecurity. In about 45% of the data leaks that are now reported, an employee has sent an email with privacy-sensitive information to the wrong person. You can partly overcome this with technical interventions, such as “mobile device management” (management, security and supervision of mobile devices such as smartphones and tablets) and “endpoint protection”. But perhaps even more important – and certainly also in your own department – is awareness. It increases when you regularly pay attention to the subject, positively highlighting very specific exemplary behavior. Every employee must therefore know: what is a data breach? How can I prevent it? And what should I do if I think there is a data breach?
Network and access security
Your company must also take measures to ensure that the company network and
Internet access is secure and continues to function securely. So a protective wall must be built against hackers, malware and phishing. In IT land, these types of measures are often bundled into solutions called “unifed threat management” (UTM). Such a package often includes a frewall, a virtual private network (VPN), strong authentication, programs for “intrusion prevention”, web filters (limit the internet sites that a user can access) and antivirus programs. A so-called security operations center can monitor whether security is working properly.Such a system identifies potential threats to your information and communication systems and defends you against them.
Does the marketing department use special applications that are essential for the business operations? Assuming that these can be accessed (remotely) via a company network, they are vulnerable. Possible measures against this are an application crash, a “car wash” against DDoS attacks, strong authentication, encryption of data (encryption / decryption), but also a penetration test. And here again: raising awareness among colleagues.
Your company must also have its affairs in order “offline”. Think of measures to secure the server room (an extinguishing system, access control). For example, you can prevent portable data carriers such as USB sticks from lying around unattended. Also ensure the secure sharing, emailing and storage of data in your department. Possible measures for this are encryption, mobile device management, secure data sharing, registered and sealed e-mail, making backups and of course creating more awareness.
The GDPR forces every marketer to think about how the department deals with personal data. The regulation entails work,
and perhaps also the updating of some ICT knowledge. But it also offers opportunities to distinguish yourself. Because now that customers are increasingly aware of their privacy, they also like to see companies that have this in order down to the last detail.