21 January 2020

SECURITY GYAN Bytes : January 2020 : 21st January 2020

Dear Tech Leader,
Article 32 of GDPR: Security of processing
The flavor of the month is privacy; this week let’s see what GDPR says for
security. Out of a total of 99 articles in GDPR only one article, article 32 talks
about security requirements. It is noteworthy that Article 32 doesn’t really get
into the technical aspects of security and does not elaborate on what controls
the organization needs to implement in order to comply with GDPR. Rather it
leaves it on organizations to identify themselves based on the data they are
processing and the risks to individuals to identify the “appropriate security” for
their processing.
The only two recommendations that Article 32 mentions is - the
pseudonymization and encryption of personal data. The core of GDPR is “Data
Protection”, if you handle PII and either implement pseudonymization or
encryption it will leave the data irrelevant until you have an algorithm or key to
get cleartext data.
Apart from these two suggestions, Article 32 generally talks about the core
tenants of security – CIA, it asks organizations to maintain the confidentiality,
integrity, and availability of information. GDPR also asks organizations to assess
the resiliency of systems so that systems that are processing PII should be able
to stand a cyber-attack, the organization should be able to restore the access
to PII in a timely manner.
Also, it wants organizations to conduct periodic assessment of its technical
controls to ensure that they are working as expected, its essentially a way to
have an independent audit done.
The following are quick recommendations on what you can do to comply with
GDPR, even with the upcoming draft Indian data protection bill as well.

1. Training & Awareness: Conduct privacy training for your entire staff
based on their role and responsibilities. Everyone must be aware of the
changing paradigm of the privacy/security landscape.

2. Map your business processes, define a Data Flow Diagram for any
process that manages PII. The diagram should clearly show how data is
flowing within the organization, where it is stored and who has access to
it. Define the data retention period and go delete the data after the
retention period – you don’t have to protect what you don’t have.

3. Identify where are you store PII, sometimes PII like – IP Addresses, etc. are
stored in web server logs and are not duly protected.

4. Conduct a risk assessment based on “risks to rights and freedoms of
natural persons”. As IT/Security professionals we are more inclined to
conduct a risk assessment for assets, as part of the typical ISO 27001
requirement. Here the risk assessment is little different – the risk
assessment revolves around “individual/natural person” whose data
organization is processing. The data flow diagram will help in conducting a
risk assessment as well, you’ll clearly know where all to put security

5. Follow some security standards like ISO 27001, this will provide a well
established framework to define your security controls.

6. Seriously consider encryption within your process, this is one of the best
defenses. Even if the data gets leaked, you’d not be bound to notify
authorities/data subjects as the data is an unreadable format.

7. If you share data with third-party processors, conduct a security
assessment for their environment as well.

8. Conduct independent security audits of your process, this should include
technical vulnerability assessment and penetration testing of your
networks and applications, Wi-Fi networks and any other segment that is
involved in the processing of PII.

9. Have an incident response plan ready, in case there is a breach you’d
have to notify not only data protection authority but may also have to
inform the data subjects as well.

10. Seriously consider buying cyber insurance, this may come handy if you
have to deal with a breach.

[Views expressed by me in this article are completely mine and in no way be
construed as the views of my organization]
This Gyan-Byte is contributed by Vikas Arora. He is
currently the Vice President – Global IT & Security
of Toluna. He has more than 23 years of work
experience in the IT industry and is passionate
about cybersecurity. He also works as a virtual
CISO for various organizations and speaks at
various national and international forums.
Twitter: @techievicky