GDPR – Data security
In our previous blog – “Is your HR Tech solution GDPR compliant?” we talked about various requirements and changes GDPR would trigger for HR Tech applications. It is also important to know about data security for GDPR compliance. In continuation of the previous blog, we will look at some areas to be considered for identification of data, responsible stakeholders and techniques to ensure security.
Before getting into the security aspect, let’s first look at the scope and definition of “Data” referred for compliance.
- Data under lens – GDPR regulation covers any kind of personal information of all individuals except the legal entities such as – corporations or non profits. According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”. It also involves looking at information management processes adopted by organizations and applications including collection, retention, deletion, breaches, and disclosures of personal data within or outside the data flows of underlying systems that enable and facilitate the processing of data.
- Responsibility and Accountability – Portable nature of digital data identifies the need for protecting data at rest as well as data on move. The absolute responsibility for data security and trust lies in hands of organization however, GDPR requires the responsibility to be laid equally on shoulders of both data controllers (entity that defines the purpose, conditions & means of the processing of personal data) and the data processors (organizations that perform actual data processing on behalf of the controller).
Data controllers are required to ensure appropriate level of security compliance as a continuous part of business processes and same has to be maintained throughout the processing life cycle. Data processors are obligated to process data in accordance with the controller’s instructions which imposes an indirect obligation to comply with the regulation, and in turn assist the data controller in meeting few of its objectives. Apart from these, data processors must evaluate and implement appropriate practices to ensure compliance based on factors like data sensitivity, nature of the processing, maintain a record of data processing activities. The regulation also defines a need for appointment of data protection officer (DPO) if processing of sensitive personal data is regular and systematic (Article 37), depending on organization specific requirements. The DPO acts as an advisory for firms and employees in data protection provisions, impact assessment, training & auditing and monitors compliance with respect to GDPR.
- Ensuring Data Security – Basic areas for data security revolve around the key areas of – identification, prevention, access of data, and monitoring. We will discuss each of these points briefly here.
- Restricting personal data access – Data access security needs to be implemented as a data processing and retention principle in each and every step where personal data is flowing in the system. Evaluation of security controls also is an important activity in order to further define and apply restriction of data access.
- Identification and classification of data – This refers to the discovery analysis with an assessment of what types of personal data system is collecting, processing, and storing, identify the users / groups having access to such personal data. This gives a good view of risk exposure and help in prioritization of further compliance efforts.
- Prevention of data breach – Methods for prevention of data breach needs to be adapted such that it restricts access to personal data. Requirement and use of personal data should be clearly defined for each specific purpose in the process. Regulation also requires the security controls to demonstrate compliance in overall data processing life cycle.
- Monitoring of data – This activity is of highest importance level in both pre and post data breach situations. It involves number of activities including monitoring of personal data access, detect security threats, detect and respond to security threats, implementation of incidence response capability in a timely fashion. Data monitoring and notification must be swift enough to trigger timely action or responses.
Enterprise solutions must consider a combination of technical measures and security policy to ensure the confidentiality, integrity, availability of data taking into account the nature and scope of processing in respective system.