Data breaches can be a very expensive affair. Fines from the supervisory authorities can be huge, not to mention the huge fallout from the users and a major drop in confidence.
The GDPR will replace the deprecated Data Protection Directive from 1995 and bring new, streamlined rules. Along with the new rules comes the threat of substantial fines, so data protection should be the top priority of all companies that process personal data.
The fines are large – up to 20 million Euros or 4% of the company’s annual global turnover, so it pays to prevent data breaches rather than contain them.
Personal data, and particularly sensitive personal data, must be secured well. The more sensitive the data, the better the security measures need to be. Less important data does not need to be as secured (but there must be a high basic level of general security).
This risk-based approach aims to reconcile the costs of data security with potential risks. That’s why you should be aware of severity of the data you have by regularly conducting DPIAs. You can save plenty on low-risk data by not guarding it so secretly, but if you are unsure, it is best to treat all data as important.
Along with very useful technical measures, the human factor is simply too important to ignore. Employees are a huge data breach risk, and so measures must be taken to reduce the risk. Access controls are one of the ways to reduce the risk. Confidentiality agreements and physical access restrictions are another.
Ensure data isn’t taken away on portable devices. Make regular backups of data and store them well. Encrypt sensitive data, and make sure to keep the backups completely offline. Third party services should not be used for backup services, as it simply creates another weak link where the data might leak out, mostly due to human error (consider how often data gets stolen from the cloud).
Two-factor authentication is a great way of forcing all the responsible individuals to keep up with their security routines, while preventing, at the same time, malicious individuals from gaining easy access to the company network.
Low-risk data generally doesn’t need measures such as anonymization or encryption, but sensitive data does. High-risk data should at all times be encrypted and whenever possible stripped of its identifying parameters in a process called pseudonymisation. Such data is considered low-risk, since the identity of the individual person cannot be found out as easily. Encryption, of course, is still highly recommended and remains the gold standard of data safety.
Updates and regular maintenance of security applications should not be overlooked. Make sure the company uses cryptographic protocols at all times, like SSL and TLS. Ensure the data is securely destroyed. This includes deletion in multiple passes, but can also refer to physical deletion of media in some more extreme cases. Papers could also need expert disposal instead of simple shredding.