GDPR Privacy Security

Watch your technique!

Hopefully, you have noticed: the General Data Protection Regulation (AVG) will come into effect in the Netherlands next year. The regulation prescribes measures to ultimately prevent a data breach of personal data within your BV. The GDPR demands a lot from your IT systems. Which buttons should you turn? The adaptation of the systems to the GDPR cannot be arranged in an afternoon. In short, it requires every organization to keep an eye on whether personal data is handled properly. For that you have to record many things. For example, you must keep a register containing an overview of all processing of personal data.

Knowledge However, keeping a register does not prevent a data breach. To do that, you really need to be on the cutting edge. But where to start? In fact, it all starts with knowledge. You must have a clear picture of which personal data you actually process and how the information flows. The follow-up question for your company is then: what possible security risks do those information flows and processing generate? And of course: how can I reduce it? It is useful to first do a risk analysis using a step-by-step plan (see below). This should provide your company with a clear picture of the interventions that are still required to get everything going. You can then decide which bottlenecks you want to tackle yourself and what you want to outsource. In principle, updating the systems and the organization does not need to take months. However, the duration and costs of a process do depend on the current state of your data security.

Taking steps towards good data security

Step 1.
Someone must be responsible for the protection of personal data. Map the processing thereof.

Step 2. Analyze the risks 
Of these processing operations and see what is still missing from your security, for example with the help of a gap analysis.

Step 3. Update your privacy policy.
The GDPR prescribes: “Privacy by default” “Privacy by design” “Data minimization”, in other words: do not collect more data than is necessary.

Step 4. Create awareness and establish responsibilities .
Make agreements with suppliers who process personal data of your organization; they remain your responsibility.

Step 5. Implement the technical advice
provided by the gap analysis. Before we continue with this article: Just a little IT dictionary! Anyone who delves into data security will end up in a forest of English terms that are abracadabra to the ICT layman. Still, it is useful to know a few basic terms.

-DDoS attacks
A “Distributed Denial of Service” attack is a cyber attack that sends a lot of traffic to computer networks or servers, causing them to crash. A “car wash” means that suspicious internet traffic is detected and redirected to specialized anti-DDoS equipment. It “cleans” the traffic and returns it clean.
-Endpoint protection
A strategy in which security software is installed on so-called “endpoints”, ie on any device that connects to the corporate network. For example laptops or smartphones. A central server checks whether the device that wants to connect is also authorized and up-to-date.

-Gap Analysis
Analysis to determine the differences between the current and desired state of your systems and business processes. This analysis not only provides the gaps, but also clarifies what you still need to do to meet the requirements (and close the gaps).
-Penetration Test
A simulated attack approved by you on one or more selected IT systems to determine how vulnerable they are. An IT security consultant conducts the penetration test.
-Strong authentication
The principle that you have access based on “something you know, have, or are”. For example, a password plus a code generated by a token, an app or a fingerprint.
-Virtual Private Network (VPN)
A secure private network between home and mobile workers and the office, and between headquarters and branch offices. As a result, a hacker cannot penetrate your connection, so you can work remotely safely. prevent a data breach.

The question then, of course, is: what are “appropriate measures”? That is tailor-made for every company. But once the following four areas are in order, you’ve got most of it. Because the entire chain is only as strong as its weakest link, all categories deserve attention. User security The user is the weakest link in cybersecurity. In about 45% of the data leaks that are now reported, an employee has sent an email with privacy-sensitive information to the wrong person. You can partly overcome this with technical interventions, such as “mobile device management” (management, security and supervision of mobile devices such as smartphones and tablets) and “endpoint protection”. But perhaps even more important – and certainly also in your own department – is awareness. It increases when you regularly pay attention to the subject, positively highlighting very specific exemplary behavior. Every employee must therefore know: what is a data breach? How can I prevent it? And what should I do if I think there is a data breach? Network and Access Security Your company must also take steps to ensure that the corporate network and Internet access are secure and continue to function securely. So a protective wall must be built against hackers, malware and phishing. In IT land, these types of measures are often bundled into solutions called “unifed threat management” (UTM). Such a package often includes a frewall, a virtual private network (VPN), strong authentication, programs for “intrusion prevention”, web filters (limit the internet sites that a user can access) and antivirus programs. A so-called security operations center can monitor whether security is working properly. Such a system signals potential threats to your information and communication systems and defends you against them. Application security Does the marketing department use special applications that are essential to business operations? Assuming that these can be accessed (remotely) via a company network, they are vulnerable. Possible measures against this are an application crash, a “car wash” against DDoS attacks, strong authentication, encryption of data (encryption / decryption), but also a penetration test. And here again: awareness raising among colleagues. Data security Your company must also have its affairs in order “offline”. Think of measures to secure the server room (an extinguishing system, access control). For example, you can prevent portable data carriers such as USB sticks from lying around unattended. Also ensure the secure sharing, emailing and storage of data in your department. Possible measures for this include encryption, mobile device management, secure data sharing, registered and sealed e-mail, making backups and of course creating more awareness.

The GDPR forces every marketer to think about how the department handles personal data. The regulation involves work, and perhaps also the updating of some ICT knowledge. But it also offers opportunities to distinguish yourself. Because now that customers are increasingly aware of their privacy, they also like to see companies that have this in order down to the last detail.