Cybersecurity and GDPR: how to maintain effective data security through simple accountability rules

Thanks to the application of GDPR, it has been possible to increase the sensitivity of organizations with respect to cyber security issues: awareness of dangers that can be connected to the violation of personal data on an IT level has in fact allowed the adoption of correct and effective data protection.

The protection and security of personal data are not part of a static process, but rather a dynamic process in which strategies, technologies and processes must undergo constant periodic reviews. In fact, thanks to continuous monitoring, organizations are able to reduce the number of possible entry points within the security perimeter of corporate information assets.

The principle of accountability in the area of personal data security

A careful reading of article 25 of GDPR shows that: “the data controller shall implement appropriate technical and organizational measures, such as pseudonymous, aimed at effectively implementing the principles of data protection, such as minimization, and integrate the necessary guarantees into the processing in order to meet the requirements of this regulation and protect the rights of the data subjects …for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This obligation applies to the amount of personal data collected, the scope of processing, the period of their storage and their accessibility”.

Therefore, essentially, the aspects concerning the management of IT infrastructure and the internal company network by the data controller are the most relevant aspects of the matter. Consequently, the principle of accountability is one of the fundamental pillars on which the regulatory framework of the European Regulation 2016/679 is based, that is the responsibility of the data controller regarding the management of technical and legal tools for the protection and control of personal data. The data controller must therefore activate suitable measures aimed at relate the technical-organizational structure with the type of processing, the nature of data and the level of risk: the personal data that he holds do not belong to him, but have been entrusted to him together with the duty to protect them.

The risks to which company data are exposed in terms of security

There are six main risks for the security of personal data:

  • The first risk is the availability of data and therefore also the destruction or deletion of a file deliberately or not.
  • The second risk is related to the unavailability of data in the event that, for example, a Cryptolocker that blocks all documents held by the organization and prohibits their access.
  • The third risk is data loss which can occur for different reasons and in different ways.
  • The fourth risk is related to the integrity of data and therefore to the voluntary or involuntary alteration of data.
  • The fifth risk for the security of personal data is linked to the confidentiality of the data, such as in the case of publication of data on the company social channel without the permission of the data owner.
  • The sixth risk concerns access to the data.

How to use digital technology to secure personal data

To secure personal data, it is essential to anticipate the six types of risk and anticipate their solutions. In this sense, the appointment of the data controller is fundamental as he is the one who has the obligation to verify that each external manager is compliant, in turn, with GDPR, or that he behaves adequately, adopting all countermeasures to achieve a relatively low risk of personal data breach.

The adoption of an effective technological solution can help the data controller throughout the process of achieving compliance with the EU Regulation: constant study and research allow to adopt, from time to time, different methodologies, such as proactive monitoring of the IT environment in order to keep under control the events that occur on users, who did what and from which station, for documenting and managing the entire data protection process of the company in a simple and effective way.

Ask our company for a free consultancy on the security of personal data and management of the GDPR.