What a first year we’ve all had! The preparations leading up to 25th May 2018. The ongoing activities to maintain our good work. The efforts to enhance it further as more clarity is provided on GDPR. Giving our interpretations through the issuing of further guidance from authorities and from actions against non-compliant organisations.
During the same time, the Data Protection Authorities have demonstrated how they will assess security practices and impose fines where current actions aren’t effective enough to protect personal data and comply with Article 32 (and other articles) to avoid potential fines.
So GDPR is one year old. It has been talked and written about so much – even before it was alive. And as it heads into its second year, we wish it a Happy First Birthday and send our best wishes for the future.
Brief refresher on GDPR
First though, let’s take a brief refresher. The GDPR brought in harmonisation of data protection requirements for personal data. Although some countries, through the introduction of a local act, had some variation that was permitted by the regulation, the protection for data subjects has become uniform. There are seven principles, ninety-nine articles and one hundred and seventy-three recitals. Of course in all this, the one particular article that stands out for security professionals is Article 32:
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
- The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
The first year in security related fines
The GDPR’s first year started quietly as far as sanctions or fines were concerned. But we expected this. Data subjects, organisations and even supervising authorities were all coming to grips with the new data protection world we now live in. A selection of the fines imposed that are security related were:
|
Country |
Date | Organisation | Security Concern | Fine |
|---|---|---|---|---|
|
Germany |
Nov 2018 |
Knuddel Chat Platform |
Users’ passwords were stored in an unencrypted format |
€20,000 |
|
Portugal |
Dec 2018 |
Centro Hospitalar Barreiro Montijo |
There was no documented definition of the rules for creating users of the systems. Technical employees were assigned access rights reserved for medical staff. Significant excess user accounts compared to the number on HR systems. Existence of access credentials that allowed any doctor access to any data at any time regardless of their speciality that was deemed to have violated the "need to know" principle and the data minimisation principle. Lack of maintenance of unused profiles for doctors who no longer provide services to the hospital. There were only 18 user accounts that were inactive and the last one was deactivated in November 2016. |
€400,000 |
|
Malta |
Feb 2019 |
Lands Authority |
Unsecure website exposing personal data Lack of penetration testing |
€5,000 |
|
Italy |
Apr 2019 |
Rousseau |
Use of shared high-privilege accounts by system admins Lack of adoption of measures relating to the storage of log files regarding the activities performed by the IT support personnel. Tracking of the access by the IT support personnel was limited to only some pages. No recording of performed operations occurred use of legacy software giving rise to complicated and time-consuming patching process Lack of use of secure protocols and digital certificates to protect data in transit |
€50,000 |
|
Lithuania |
May 2019 |
UAB MisterTango |
Not reporting a security incident that led to a data breach by exposure One employee was responsible for the safety and management of the entire company and the management, installation and maintenance of the IT infrastructure (hardware and software). |
€61,500 |
Interpretations of Note
The security issues raised are not surprising in nature to anyone who has been in risk, information security or cyber security for any length of time. However, perhaps the more recent ones from the Italian and Lithuanian DP Authorities are of interest. It’s obvious from the fines that bad security practices can lead to data breaches and risks to the data subject. However, the interpretations by the Italian and Lithuanian authorities provide an even deeper insight into their understanding of the security measures, who is responsible for them and the security controls that the authorities expect to have in place regarding the protection of personal data.
- In the case of the Italian Authority, they imposed the fine on the Data Processor and not the Data Controller as would have initially been expected. The processor was the hosting provider for the controller. It is the first time that an authority saw that there could be a liability for the processor and without there being any for the controller.
- The Lithuanian authority assertion that security responsibility should not be invested in a single individual who is also responsible for IT infrastructure installation and maintenance, as it understood that the one employee ‘competed’ with themselves. (Press Release – in Lithuanian)
And combined, a medium-sized company providing services to a larger one, they become a significant concern. How is an organisation that has a small IT team that processes data for a controller meant to comply with these interpretations?
An approach to GDPR compliance for the future
No matter how long you’ve been doing what you do, start afresh. Be honest with yourself and your organisation. If you’re not compliant with GDPR or the understandings noted above, acknowledge it, understand the gap and address it. While we’re not a big fan of “3 or 5 Easy Steps to Security,” here are the first three you should be doing:
- Undertake a risk assessment using a security framework like ISO 27001 or Cyber Essentials. You could also use the recently issued guidance by the Luxembourg Data Protection Authority, “GDPR-Certified Assurance Report Based Processing Activities – Certification Criteria.” The abstract reads: “Document to the attention of organizations that want to obtain certification of processing activities under the GDPR-CARPA certification mechanism.”
- Draw up a realistic plan to address the gaps in a practical and achievable manner.
- Consider your longer team strategy:
- Are your security controls sustainable?
- Is the individual responsible for information security the most appropriate choice?
- Has your security programme been allocated the correct resources to support its activities, assure the organisation and protect your customer?
- Would aligning to (or achieving certification of) a formal framework be of benefit?
As an aside, I’ve personally seen a considerable increase in requests for participants in the supply chain to be certified formally with security frameworks such as ISO 27001.
The Terrible Twos
Congratulations on turning one, GDPR. Let’s all hope we don’t experience the “Terrible Twos.”
This blog and its content are provided as a general guide to the subject matter. You should always seek specialist advice about your specific situation – no two organisations are alike.
