Security is an ongoing effort. It’s worth assessing your security situation from time to time, and as GDPR fines have started to land, it’s a good time to review your data movement and storage setup. Recently, the news broke that British Airways must pay an astounding £183 million fine because of last year’s data breach. The fine, levied by the British Information Commissioner’s Office (ICO), is the equivalent of $224 million, or 1.5% of British Airways’ worldwide turnover.
The reason for this huge fine was not just because British Airways was breached (breaches can happen to anyone); it was because of the poor security arrangements that British Airways had in place. This lackadaisical approach to data protection and security is what got Marriott fined under GDPR shortly afterward as well. In other words, getting breached alone isn’t enough to get you a big GDPR fine, it’s about how you’re approaching your security.
GDPR affects any organization dealing with users’ personal data, if those users are in the EU, regardless of where the company is based. Therefore, every security engineer and CTO should be aware of the possible implications of GDPR and should know how to protect their organization and customers within its framework.
Information Commissioner Elizabeth Denham said that the loss of personal data is more than an inconvenience. She emphasized that companies must protect their users’ data. ICO is clearly taking a strong stance on what sufficient security arrangements look like, and as you consider your own security, aligning with their views is a smart move.
How to design proper security arrangements under GDPR
This article has seven tips you can apply within your organization to design good security arrangements and avoid following in British Airways’ footsteps. But let’s cover some basic information first.
First of all, it’s important to understand the definition of personal data.
Many people think personal data includes only name, address, and phone number. However, under GDPR, every piece of information that helps to identify a person is personal information. Also, this data can help others identify the user’s physical, genetic, mental, economic, cultural, or social identity. Personal information can include the results of a personality test, information on cultural activities a user participated in, or data related to a user’s mental health.
Examples of personal data
- Education history
- Employment history or job title
- Mobile device IDs
- Cookie ID
- Location data
- Vehicle registration plate number
Even the Facebook “Like” button makes third-party sites responsible for processing people’s data under the European Union’s privacy rules, according to the EU’s top court. The court ruled that the Like plugin allows the social media company to collect data on the site’s users.
Now that you have an idea of what’s at stake, let’s find out how you can ensure that your security arrangements are up to snuff for GDPR.
1. Prepare for Data Subject Access Requests (DSAR)
A Data Subject Access Request allows a supplier or customer to make a written request of a firm they do business with. The DSAR allows that supplier or customer to retrieve all the information the firm has about them. Also, employees can make the same written request of their employer to retrieve the information the employer has about them. The company must provide the data within 30 days.
Therefore, your organization must structure all data in an organized way. For example, your organization may want to structure its data by type. In this type of organization, your company would store customer data and employee data in separate domains. Also, if your organization links all the data that belongs to one person or company, it will be easy to retrieve all data for that person or company at once without having to look in multiple places.
2. Store sensitive data securely
Consider these questions:
- Where does your organization store client information?
- Where is your database located? Is it in a public or private cloud?
- Does your organization share any private data with third parties?
Next, evaluate the security of the places that hold your data. To reduce the complexity of your data, opt for simple storage options, relative to your needs. What counts as “simple” will vary based on your business, but resist the urge to be fancy with your storage. You can use more complex tools for categorizing data and moving it through various services that help anonymize the data. However, the more you move users’ data between services, the more complex it becomes to fully secure that data.
The easiest solution to guarantee data safety is encryption. In other words, you apply a set of algorithms to your data to scramble the text. In case of a breach, the hacker will only be able to get a hold of these random strings of text. If you want to know more about securing your products, the following article explains principles to protect your SaaS product, and you can learn more about security best practice for SaaS startups here.
3. Always ask for consent to collect data
As you might have noticed, many sites ask you for your permission to collect data about you. Also, GDPR requires you to include what data you are capturing in your privacy policies to provide transparency to your visitors. Even if you’re capturing a minimal amount of private data, you still must follow the GDPR guidelines for your European users.
Elements of your privacy policy
Your privacy policy must contain these items at a minimum:
- What data are you capturing?
- How will you store this data?
- How long will you store it?
- Who has access to the captured data?
- What will you use the data for?
- How will you process the data?
Put this information in a noticeable place on your homepage. The GDPR group has little tolerance for companies that apply dark UX practices that trick people into agreeing to data collection consents.
In addition to generalized consent, you should pursue active consent. Always make your customer actively click the consent box. GDPR forbids automatic opt-ins for any data collection process. Also, you must link to your Terms of Use and privacy policy when asking for consent.
Your users must be able to find all the information about what they are agreeing to in one place. Never opt for pre-checked boxes.
4. Protect your applications
Encrypting your data and storing it securely is one element of a strong security arrangement. Another is protecting your applications from breaches and attacks. Monitoring and protecting your applications in production can help you prevent breaches from happening in the first place and protect your users from attackers. With an Application Security Management platform, you can get visibility into your applications and peace of mind against attacks flying under your radar.
5. Use a double opt-in for mailing lists
Choose software that offers double opt-in for mailing lists. This way, you can be 100% sure that the user wanted to sign up. Sometimes other users or bots add email addresses to your mailing list. For this reason, it makes sense to ask the user to confirm their subscription a second time through a unique confirmation link sent to their email address. Many mailing service providers, including MailChimp, already offer this functionality.
6. Delete data you don’t need
If you aren’t going to use data that you have collected, then delete it. Under GDPR, data controllers must delete all data after they’ve finished using it or after the expiration time set in the privacy policy.
Privacy experts often use the term “the right to be forgotten.” As the name indicates, users can ask your organization to delete collected data that you’re no longer using. If you shared this user’s data with any third party, warn that party to delete this specific user’s data.
In short, get rid of all the data you don’t need anymore—especially if the data relates to children. Under GDPR, the processing of the personal data of a child is lawful if the child is at least 16 years old. If the child is younger than 16, then such processing is lawful only if and to the extent that consent is given or authorized by the child’s parent or guardian.
7. Educate your employees on security
You can have very sophisticated processes to comply with GDPR, but you must always take human error into account. Educate your employees about what is allowed and what isn’t.
Are your employees dealing with personal user information? Teach them how to handle personal data, categorize it, and store it safely without leaving traces. A strong security culture internal to your organization is one of the best ways to uplevel your security posture across every area. It’s hard to foresee every specific situation and have a tool or process ready for it. If your people have good security instincts, they’ll be in a much better place to make good security decisions when new situations arise.
Bonus tip: execute software updates
People often see software updates as an inconvenience and ignore them. Try to change this practice within your organization, and make software updates part of your company’s processes. This is a practical example of a good security culture.
Software updates include installing the latest security software, browser version, and operating system version. However, many programs provide the option of automatically updating themselves to reduce the inconvenience of updating software regularly.
Conclusion
A strong security posture will help you protect your users and minimize the impact of any slip ups that happen. The recent GDPR fines are a good reminder to review your data movement and storage, and continue strengthening your security in order to build more trust with your users. The best way to align with GDPR is by knowing what data you are collecting, understanding where it moves within your organization, and categorizing that data accordingly.
What can you do if a breach happens? Identify the breach as quickly as possible, and inform an EU regulator or other relevant body within 72 hours of the breach. Also, report the data breach to the affected people. A breach doesn’t have to be the end of the world. It’s all about how you handle it and what you did to try to prevent it in the first place.
This post was written by Michiel Mulders. Michiel is a passionate blockchain developer who loves writing technical content. Besides that, he loves learning about marketing, UX psychology, and entrepreneurship. When he’s not writing, he’s probably enjoying a Belgian beer!
