Episode Nine – Security by Design
Ask a corporate lawyer which part of the GDPR is more important than the other, and they will no doubt tell you that all parts of the new General Data Protection Regulations are of equal importance. However if you take the time to read through the document yourself, you would see that there are distinct topic threads that are woven throughout the regulation and as such a clear hierarchy of importance emerges.
Over the last few years we have seen news reports of numerous large scale data losses, that at their core resulted from security breaches. One of the most recent, the breach of the credit reference agency and data broker Equifax, resulted in the loss of data on 44% of the US population and 23% of the UK population (1).
It is then, not surprising that Regulators have focused their attention on security and ensured its presence within the GDPR.
‘Taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […]’
GDPR Article 32
However of all the parts of the soon to be enforced General Data Protection Regulation, it is Article 32 that is perhaps the easiest for business to understand and act upon. There are numerous reasons for this. Security is not a standalone risk. It is one which companies, management boards, controllers and processors have been well aware of for some time. A state of security could be said to be a prerequisite for compliance with other aspects of the GDPR. Insecure systems can cause unintended data processing, they can lead to the alteration of data and the embedding of inaccuracies. Also, as we are all well aware, security breaches can cause loss, damage and substantial harm to the victims as a result of fraud and identity theft.
Although extreme, it is not inconceivable to suggest that an absence of security would lead to complete non-compliance with the entire GDPR.
In an operational sense, given the expansive nature of the resources available, personal data security is perhaps the only area of data protection law where the meaning of ‘appropriate technical and organisational measures’ is capable of full definition.
Article’s 5 & 32 of the GDPR establishes the security principle, Articles 24 & 28 impose obligations on both controller and processor to demonstrate compliance and Article 32 goes on to require a risk based approach.
It is reasonable to suggest then that the security a business implements should cover a broad spectrum of threats, from accident and negligence at one end of the scale to deliberate actions at the other. As such controllers and processors are required to implement a range of controls to protect against complex technological threats, such as malware, denial-of-service attacks and other criminal actions as well as against negligent employees.
The phrasing of the term ‘appropriate technical measures’ is important as it demonstrates that the law does not require perfect security, but an approach based upon risk.
The starting point for this risk based approach is an understanding of the personal data an organisation holds and the processing done upon it, this is something we covered in Episode 2 of this series. Only by understanding the full information lifecycle from acquisition to deletion can an organisation begin to understand the risk to the data subject should the data be the focus of a security incident. Following on from that only then can an organisation begin to evaluate appropriate controls.
The security risk assessments must consider the nature of the data that is being processed and the reasonably foreseeable threats that will exploit the business process and technical system vulnerabilities. The risk assessment should also include a state of the art test. In other words with regards to that particular control, what is the consensus of professional opinion; the majority of organisations began to encrypt the hard drives of their employees laptops, not because of a regulatory requirement, but because in the consensus of opinion of security professionals, it was the right thing to do.
SAP have for many years developed systems with an understanding of security by design and by default. Patches are signed, transport mechanisms encrypted, roles and identities secured. However there is more that companies can do to make best use of the capabilities of SAP and demonstrate a rounded, well thought out approach to security by design and by default. Some examples are listed below;
- Enable hardware encryption within server hard drives.
- Enable software encryption of all computers.
- Review roles and ensure appropriate segregation and authorisations of systems access.
- Ensure that SAP Access Control is integrated into HR business processes such that the issuing, amending and rescinding of systems access is automated.
- Ensure that transports across networks are encrypted.
- Review and edit data queries, enable appropriate masking of data at the query level.
- Review data capture and Information Lifecycle Management retention policies, ensure you only capture the personal data you need and only keep personal data for as long as is necessary.
- Review what happens to the numerous log files generated by SAP systems, are they inspected, how often and by whom? Consider the use of SAP Threat Response to automate the analysis of log files.
- Review business processes and consider if additional controls can and should be added. Integrate with SAP Process Control.
In addition to the ‘appropriate technical measures’ businesses should also recognise the need for wider organisational measures to enhance security. Articles 5, 28 and 32 put forth the notion that those who work with personal data, are subject to a duty of confidence and will act within the boundaries of their instructions. For companies this means that there is a need for policy and procedure. Staff contracts should include clauses outlining the consequences of data breaches which are deemed to be their responsibility. Staff training and handbooks should be updated and the requirement to attend or review them should be ongoing and not only at the point of onboarding with the company.
A review of the enforcement action taken by the UK Information Commissioner (ICO) demonstrates that when investigating an organisation, the ICO pays particular attention to documentation, policy and procedure. Does the business have a policy on system intrusion, a policy covering the actions to be taken upon detecting a security breach, and documentation to prove that the last time a breach was detected, the policy was enacted, and followed.
Article 32 of the GDPR, whilst being the easiest to understand, is perhaps the most impactful for business. In addition to reviewing data and processing operations and the technical controls that can be used to reduce the risk level associated with them. It also requires that organisations adopt a risk based approach to security and data protection, integrate security and data protection at board level, produce policy and procedure to cover a range of scenarios, amend employee contracts, update and deliver training to a wide range of staff and enact a level of continued vigilance which will be new to many.
Your Journey to GDPR Compliance Series – Missed an Episode? Catch up on demand below:
Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed and a member of the International Association of Privacy Professionals. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.