GDPR technical measures: 5 things to know
GDPR (General Data Protection Regulation) is a regulation aimed to unify and enhance personal data protection in the European Union. Formally, GDPR is limited by the territory of the EU, but its impact spreads far beyond the Union borders. Each company that processes users’ personal information is a potential subject of the regulations. Due to the absence of boundaries and restrictions, the Internet users can interact with web resources, applications and services from all over the world. According to the GDPR, the regulation applies to the processing of personal data of data subjects who are in the Union by a processor not established in the Union. For example, GDPR will be applied to the mobile application from the US, if it was downloaded and used in the EU.
Improper data storage, loss of data, data trafficking, unrestricted usage of personal information and cyberattacks have become more and more frequent over the last few years. To improve the situation, it’s not only necessary to change the requirements for private information processing, but also to change the culture of data usage itself. After the implementation of GDPR, numerous countries started to develop and modernize their own regulations of information security and personal data protection. The global goal is to create a safe informational space, where everyone is in control over their personal information.
GDPR establishes basic principles of processing, collection and storage of information, as well as sets the direction for the further development of information security. There are no specific technologies, algorithms or clear instructions for personal data processors in the regulations. Therefore, adopting the company’s internal and external processes in accordance with the principles shown in GDPR is not an easy quest to do. On the other hand, this approach helps regulations to stay relevant regardless of the current level of IT technologies. Such regulations are more stable, as they don’t need clarifications, corrections or extra articles for a longer period of time.
Information security is achieved through effective search and elimination of vulnerabilities in the process of data collection, distribution, usage and storage. The data processing algorithm is unique and can dramatically differ from company to company. This algorithm depends on many factors including company needs, goals, products, clients, legislation, location, number of workers and outsourced specialists etc. Based on the data processing algorithm, the company’s information security system must reflect all these aspects. That’s why it’s not possible to create a one-size-fits-all approach to fulfill all, or at least most, demands. In case of careless attitude, those missed “holes” in the data security system may lead to very unpleasant consequences for the company and for its clients. The information security system covers not only technical, but also social and structural aspects. That’s why it’s incorrect to consider it as a list of programs, hardware and encryption algorithms only.
5 things to know about GDPR technical aspects.
1) Ones and zeroes of personal information.
Personal data encompasses information about the individual that allows identifying a person directly, combining several facts or using additional sources. High school name, height, favorite restaurant, phone model and pets name are the facts that are useless for personal identification when used separately. But combined, they create a unique combination that can identify a person with high probability. Therefore, access to all information about the person and their behavior should be restricted.
All users of the Internet constantly leave a bunch of digital traces and personal information. Social networks, search engines, online stores, mobile applications, forums and other online resources are constantly collecting data about their users. For example, search engines convert users’ personal information into income. Each registered user is associated with a file, that contains information about the user’s favorite movies genres, food preferences, education, age, profession, favorite sports team, most used search requests, etc. That data is used to create personalized advertisements and predict users’ behavior. A search engine is an effective and commonly used source of private data, but not the only one
A variety of private data sources include thousands of devices and services. This list represents some of the most common among them:
- Internet traffic – data transfer on the Internet occurs in the form of ones and zeros grouped in data packets. In addition to the main data, each package contains information about the source of origin, destination, checksum and other information that is needed for correct transfer through the network. Point of origin and destination are represented in the form of IP address, which is private data. In some cases, it can be used to identify device’s exact location.
- Website monitoring – modern websites track almost all user actions on a page, including cursor movement and page scrolling speed. This way, not only the user’s choice can be tracked, but also the behavior that led to it. Usually, anonymous data is compiled into a single statistic set and used to optimize the site and content, but potentially technology can show individual-level statistics.
- Cross-Device – quite convenient, when you can transfer video or share video game progress from one device to another. However, in terms of personal data, this allows services to save these attachments and tracks the person through the interaction between them.
- Operating systems – OS can track user actions and share information with the developer. The main goal is to improve the system and find errors in the code, but the messages may also contain additional information about the device configuration and system preferences. Unlike applications, operating systems are needed to run devices.
- Geolocation – some services and applications are designed to track a user’s location. When used right, it gives a huge benefit to the user. Unfortunately, some applications are tracking users’ location in the background without proper notification and using that data for company needs.
- Camera – there is a whole market of applications, products and services around this feature. The camera is the most common way to transfer visual real-world information into digital form. Lots of recent applications use cloud computing to improve the image quality, add AR or apply filers. Anyway, the company can have access to information in images and videos.
- Microphones – modern mobile devices and different smart devices are constantly listening to the environment and waiting for the voice commands or to provide noise consolation. Such feature as voice recognition usually uses cloud computing to perform the way it is supposed to. Even put in a assive mode, such devices collect all sound information around them in search of keywords.
- Smart home comprises a combination of numerous sensors and devices. Home alarm systems, video surveillance, flood detection, smoke sensors and robot vacuum cleaners receive lots of information about the environment, even on their own. Combined into a single system, they can track literally every step of the tenants.
According to the GDPR’s principle of data minimization, the data processor should not collect more information, than needed to perform the task. The company must divide information into important and minor data. All unnecessary data should be removed from the system and can’t be used for any purpose.
2) Risk management and critical data.
To organize an effective information security system, resistant to internal and external attacks, it is necessary to clearly understand which aspects are more important and which actions should be taken first. According to GDPR, the intensity of information security should correspond to the contents of data and consider the risks associated with it.
Risk determination always used many methods. However, basically, we can use the formula:
risk = probability of a negative event X negative consequences.
There won’t be any numerical values, but it will show how high the risk is. For example, payment information has a high probability to become a target of cyberattacks. Loss of customer payment information can lead to immediate financial losses for them. Accordingly, the processing and storage of such information will be at high risk. The opposing situation is with processing room temperature sensor data. Such data are not beneficial to third parties, and therefore the likelihood of an attack is low. Loss or disclosure also won’t lead to negative consequences other than reputation damage. This kind of data will be processed as a low-risk data.
More advanced risk determination models use additional elements like:
- probability of threat
- potential vulnerabilities
- potential negative events
- risks / negative effects
- response to negative effects.
Regardless of the method used to determine risks, the result will set priority areas for cybersecurity development. Prioritizing high-risk data will lead to a significant reduction of negative events probability and will increase the overall level of information security.
Risk control is a continuous process, that should reflect all changes in the company, products, software, and equipment and adapt to global events. In addition to finding critical data, risk management is used to develop algorithms aimed to prevent negative events and reduce the negative consequences of such events.
Cyber-intrusion scenarios provide clear steps to identify the attack, stop the current invasion and prevent a future attack. The scenario assumes that the intervention is already taking place.
The scenario in case of data loss or leakage of information takes place after the event and covers the elimination of negative consequences. It means steps to identify damaged / corrupted files, recover lost information, and notify users and authorities about the event and its consequences.
The scenario in case of theft of equipment with corporate information divides into two parts. The first part takes place before the negative event and involves setting up encryption protocols, access restrictions, remote control and complete removal of content in case of multiple unsuccessful authorizations. The second part takes place after the event and includes device tracking as well as data recovery.
3) Where the data is stored and how to protect it.
Data security is a key to a successful IT business. When users trust their personal information, they rely on integrity, privacy and anonymity. The information processor, in return, must ensure proper conditions. Depending on circumstances and tasks, the storage system may be provided by the company itself or by third parties.
Data centres provide server equipment and infrastructure. There are many variations of contractual relations with data centres. Here are the basic ones:
- Computing power as a service: the user gets data centre’s resources and pays accordingly for the workloads. The data centre will independently determine how and on what specific equipment the calculation will be performed. The company won’t be able to control all processes, including information storage, and will rely on the data centre’s compliance with all technical requirements.
- Data centre equipment rental: server rental with prebuilt configuration. This means a full-fledged physical server running on a data centre’s infrastructure. The data centre maintains the equipment and ensures the efficiency of the infrastructure. All internal processes are under the client’s control.
- Data centre infrastructure rental: infrastructure and place in data centre rental. The client locates servers on rented sockets in the data centre. The client has unlimited possibilities to work with the equipment. This approach is suitable for long and heavy tasks but may require the presence of the client’s own equipment.
According to information security principles, the presence of third parties is always riskier than direct information processing. The parties must agree on the procedures in case of payment delays or data transfer in the period after the contract expires. The data deletion, encryption and recovery must be clearly regulated in the contract.
Self-deployment and maintenance of the system are usually aimed to use within the company building or without public access. The company’s internal servers may also contain customers’ personal information. Therefore, safe storage mechanisms are very important even in local servers.
All information is stored on a physical storage medium. Each type of storage has its drawbacks and limitations. Digital data storage devices, like any equipment, can be defective or damaged during their use. Information processors must provide conditions that allow data to be preserved in case of unforeseen circumstances.
Here are some recommendations for data storage:
- Equipment for commercial use allows duplicating important system modules to ensure a low failure rate.
- Backup is important for sensitive or critical data and must be done on regular basis.
- It is advised to store the backup medium separately from the main system. Thus, in case of file corruption or critical system failure, the data won’t be lost completely.
- Disk arrays can reduce the failure rate. Technology allows dividing information among a certain number of physical media in a way, that if some of them failed, the system will continue to operate without affecting its performance and information integrity.
- Encryption prevents data leakage. Data will be useless without a special key to this exact encryption algorithm.
- Theoretically, it’s possible to brute force the encryption key combination, but at the current state of technology development, it takes an irrational amount of time and resources.
- Encryption is a two-way process, unlike hashing.
- Like a regular key, an encryption restore key must be stored in a safe place outside the encrypted system.
- Physical drives must be protected from external influences. Equipment must be placed in rooms, cabinets or buildings with limited access and a controlled environment.
To ensure proper data processing conditions, interaction with data in its original form should be limited or impossible, even for company employees. To do this, user data is divided into different categories. Access to critical data should be limited and the data itself is encrypted. For less important data, company employees can have access to data that is needed to perform their duties. Usually, pseudo-anonymization is used to make sure that it becomes impossible to identify the person, but it’s still possible to interact with this client. For example, a support specialist received a request from a customer. In the company database, he can get the first name, inner ID number and devices registered on this customer. The system automatically matches the ID number and preferred way of communication. Thus, the operator performed his duties with minimum knowledge about the client and was unable to connect with the customer outside the system.
4) Staff qualification is 70% of information security.
Employee qualification is important for company information security. When attackers want to obtain important data and do not have the technical ability for an external attack, they can use alternative methods. Some of these methods are targeted at human factors. The human brain is far superior to all modern computers, but there are still many ways to mislead or trick it.
Social engineering is a set of methods and mechanisms aimed at gaining access through manipulation and deception. Let’s consider a regular scenario:
Company employee receives an email. The message contains the company’s logos, the address is similar to the real one, and at the end of the mail, there’s a signature and photo of the CEO. It is reported, that there was a leak of critical information, the attackers received passwords from the company business accounts. Therefore, all employees should follow the link below and follow the instructions. That link leads to a website, that is identical to the original and asks you to enter your e-mail \ login, old password and create a new one. As a result, the attacker receives all that data and now has everything to log into your account. This situation was unexpected for the employee, in addition, the pressure and fear of losing important data closed that trap.
Manipulations are not limited to e-mail. Attackers can use phone conversations, messengers, or visit the company’s office on their own. It is almost impossible to prepare employees for all possible scenarios, but it is possible to develop clear algorithms to prevent them.
After the development of cyberattack countermeasures, it is equally important to notify and train employees. The company should set a person that will be responsible for the organization of training and who will coordinate information security countermeasures. Companies often post information about their team and team leaders in open sources. Attackers are likely to use that to create visibility of legit information.
Companies also can add extra technical features to the authorization process. Such as two-factor authorization, device or location limitation. Those features can significantly reduce the possibility of third parties logging in. Thus, even when the login and password are known to the attacker, authorization will be impossible without the second factor or proper conditions.
5) How interface can reflect information security level.
IT has passed the stage when the only way to interact with a computer was text commands. Nowadays, there are many ways to get information and interact with it in form of text, sound, graphics or even tactile. This variety allows using design elements not only for communication with the user, but also to manipulate decisions. In terms of information security, cookies and other policy requests can use this type of manipulation.
The company must obtain the user’s consent before collecting and processing information. Personal data policy, cookie policy and terms of use are not very interesting for users to read, especially when it interrupts much more pleasant content. Companies have to get users’ consent, and inform them about data policy and their data usage. To speed up or to ensure that users will give consent, companies started to manipulate users by the means of interface design. This kind of manipulation does not violate the regulations, but they are contradictory and may show the company’s disrespect to users.
Banners and notifications are common tools to get consent. Designers manipulate users using colors, shapes and location on the screen. Here are a few simple examples:
- Websites content is not displayed until consent is given. The user finds himself in a situation where the resource is useless without consent, but its content can be important to the user.
- The banner has one big bright button to accept the policy and a small slightly visible button in the corner to decline or to get more details.
- Notification is a blocking interface, which is important to navigate the website properly.
- The privacy policy wrote in an uncomfortable color scheme and with tiny letters, marking it painful to concentrate on.
- The request got only one option: to accept.
Users are usually sceptical about sharing their information with third parties, even if you show them how, why and who will get that data eventually. The goal is to create conditions for conscious and voluntary decisions. Designers should create equal conditions for all options, no matter what choice is preferable for the company. The website should persuade users to give their acceptance based on extra features, optimal performance or to support further website improvements.
Conclusion
- Information security is never static. In addition to external factors, it is also a constant search for a balance between data security and company interests.
- The GDPR is not limited by the EU territory. The regulation applies to companies, that process private data of individuals within the EU even if the company itself located outside the Union.
- There is no one-size-fits-all approach to information security.
- Information security is not limited by technical aspects but requires a complex approach.
- Personal information covers all information about the person, their activities, behavior and choices.
- Majority of the sources of personal information are able to obtain more data than is necessary for proper functioning.
- Information that is not necessary for proper functioning cannot be used and must be deleted.
- Risk control is necessary to determine the priority areas of information security.
- Development of algorithms for negative events and their consequences is mandatory, especially for critical information.
- All electronic data is stored on physical media.
- There are requirements and recommendations for the proper storage, transmission and deletion of personal data.
- The specification of computer equipment affects the likelihood of negative events.
- All specialists in the company must know the company’s information security policies and algorithms in case of negative events.
- The company must have a person, that will be responsible for information security.
- Technical means help to preserve information, but for the most part, it all depends on the qualifications of each individual employee.
- Interface designs are able to manipulate users’ decisions.
- Consent to data processing should be voluntary.
- Users should have an equal opportunity to accept or decline the request.