La Privacy e Cybersec per le aziende
Osservatorio a cura del dott. V. Spataro 

Milano, sab 2 dicembre 2023:, Social media non vi temo - Ascolti tra Marketing e AI

   documento 2023-04-28 ·  NEW:   Appunta · Stampa · pdf

Secure personal data | European Data Protection Board


Documento annotato il 28.04.2023 Fonte: GPDP


L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni



  • Unauthorised or accidental access to dat
  • Unauthorised or accidental alteration of
  • Loss of data or loss of access to data -
  • Determine the existing or planned measur
  • Estimate the severity and likelihood of
  • Implement and verify planned measures
  • Conduct periodic security audits:
  • Set up an internal policy
  • Information classification
  • Specific confidentiality clause
  • Automatic session lockout
  • Regularly updating software;
  • Automatically update security
  • Encourage the storage of user data on a
  • Limit the connection of mobile media
  • To go further
  • Intrusion alarms
  • Install smoke detectors and firefighting
  • Protect keys
  • Distinguish building areas according to
  • Maintain a list
  • Access
  • Physically protect the computer equipmen
  • Pseudonymise data
  • Encrypt data
  • Anonymise data



estimated reading time: 11 min

Security: what is at stake?

The consequences of a lack of security can be serious: companies can see their image degraded, lose the confidence of their consumers, have to pay large sums of money to recover from a security incident (for example following a data breach) or have their activity stopped. Secure personal data is in the interest of both individuals and the organisations processing the data.

In order to assess the risks generated by each processing operation, it is first advisable to identify the potential impact on the rights and freedoms of the individuals concerned. While organisations have to protect their data (personal or not) for their own interest, the following information focuses on the protection of individuals’ data.

Data security has three main components: to protect the integrity, availability and confidentiality of the data. Therefore, organisations should assess the risks for the following:

  1. unauthorised or accidental access to data - breach of confidentiality (e.g. identity theft following the disclosure of the pay slips of all employees of a company);
  2. unauthorised or accidental alteration of data - breach of integrity (e.g. falsely accusing a person of a wrongdoing or crime as a result of the modification of access logs);
  3. loss of data or loss of access to data - breach of availability (e.g. failure to detect a drug interaction due to the impossibility of accessing the patient's electronic record).

It is also advisable to identify the risk sources (i.e. who or what could be at the origin of each security incident?), taking into account internal and external human sources (e.g. IT administrator, user, external attacker, competitor), and internal or external non-human sources (e.g. water damage, hazardous materials, non-targeted computer virus).

This identification of the risk sources will allow you to identify the potential threats (i.e. what circumstances could allow a security incident to occur?) on supporting assets (e.g. hardware, software, communication channels, paper, etc.), which can be:

  • used in an inappropriate manner (e.g. abuse of rights, handling error);
  • modified (e.g. software or hardware entrapment - keylogger, installation of malware);
  • lost (e.g. theft of a laptop, loss of a USB key);
  • observed (e.g. observation of a screen in a train, geolocation of devices);
  • deteriorated (e.g. vandalism, natural deterioration);
  • overloaded (e.g. full storage unit, denial of service attack).
  • unavailable (e.g. in case of a ransomware).

It is also advisable to:

  • determine the existing or planned measures toaddress each risk (e.g. access control, backups, traceability, premises security, encryption);
  • estimate the severity and likelihood of the risks, based on the above elements (example of a scale that can be used for the estimate: negligible, moderate, significant, maximum);
  • implement and verify planned measures if existing and planned measures are deemed appropriate, ensure that they are implemented and monitored;
  • conduct periodic security audits: each audit should result in an action plan whose implementation should be monitored at the highest level of the organisation.

The GDPR introduces the notion of a "data protection impact Assessment (DPIA)", which is mandatory for any processing of personal data likely to result in high risk for individuals. A DPIAmust contain the measures envisaged to address the identified risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

In practice

Organisational measures

In practice

Another precaution is to document the operating procedures, keep them up to date and make them easily available to all data handlers concerned. In concrete terms, any personal data processing activity, whether it concerns administrative operations or the simple use of an application, should be explained in a clear language and adapted to each category of handler, in documents to which they can refer.

Set up an internal policy

The awareness of internal data handlers can take the form of a document, which should be binding and integrated into internal regulations. The internal policy should particularly include a description of data protection and safety rules.

Other organisational measures

  • Implement an information classification policy that defines several levels and requires marking of documents and emails containing confidential data.
  • Make a visible and explicit statement on each page of a paper or electronic document that contains sensitive data.
  • Conduct information security training and awareness sessions. Periodic reminders can be provided via email or other internal communication tools.
  • Provide for the signing of a confidentiality agreement or include a specific confidentiality clause regarding personal data in contracts with employees and other data handlers.

Technical measures

  • hardware (e.g. servers, workstations, laptops, hard drives);
  • software (e.g. operating system, business software);
  • communication channels (e.g. fiber optics, Wi-Fi, Internet);
  • paper documents (e.g. printed documents, copies);
  • premises.
  • provide an automatic session lockout mechanism when the workstation is not used for a given period of time;
  • install firewall software and limit the opening of communication ports to those strictly necessary for the proper functioning of applications installed on the workstation;
  • use regularly updated antivirus software and have a policy of regularly updating software;
  • configure software to automatically update security whenever possible;
  • encourage the storage of user data on a regularly backed-up storage space accessible via the organisation's network rather than on workstations. If data is stored locally, provide users with synchronisation or backup capabilities and train them in their use;
  • limit the connection of mobile media (USB sticks, external hard drives, etc.) to the essentials;
  • disable autorun from removable media.
  • use obsolete operating systems;
  • give administrator rights to users who do not have computer security skills.

To go further

  • prohibit the use of downloaded applications that do not come from secure sources;
  • limit the use of applications that require administrator-level rights to run;
  • securely erase the data on a workstation before reassigning it to another individual;
  • in the event that a workstation is compromised, search for the source and any trace of intrusion into the organisation's information system, in order to detect whether other elements were compromised;
  • perform security monitoring of software and hardware used in the organisation's information system;
  • update applications when critical vulnerabilities have been identified and fixed;
  • install critical operating system updates without delay by scheduling a weekly automatic check;
  • disseminate to all users the proper course of action and the list of people to contact in the event of a security incident or unusual event affecting the organisation's information and communication systems.

In practice

  • install intrusion alarms and check them periodically;
  • install smoke detectors and firefighting equipment and inspect them annually;
  • protect keys used to access the premises and alarm codes;
  • distinguish building areas according to risk (e.g. provide dedicated access control for the computer room);
  • maintain a list of individuals or categories of individuals authorised to enter each area;
  • establish rules and means for controlling visitor access, at a min imum by having visitors accompanied outside of public areas by a person from the organisation;
  • physically protect the computer equipment with specific means (dedicated firefighting system, elevation against possible flooding, redundant power supply and/or air conditioning, etc.).

Under-dimensioning or neglecting the maintenance of the server room environment (air conditioning, UPS, etc.). A breakdown in these installations often results in the shutdown of the machines or the opening of access to the rooms (air circulation), which de facto neutralises the security measures.

  • inside restricted areas, require all individuals to wear a visible means of identification (badge);
  • visitors (technical support staff, etc.) should have limited access. The date and time of their arrival and departure must be recorded;
  • regularly review and update access permissions to secure areas and remove them as necessary.

In practice

In practice

  • define a unique identifier for each user and prohibit accounts shared by several users. In the event that the use of generic or shared identifiers is unavoidable, require internal validation and implement means to track them (logs);
  • impose the use of sufficiently strong Password complexity rules (e.g., at least 8 characters, upper case and special characters);
  • store passwords securely;
  • remove obsolete access permissions;
  • carry out a review on a regular basis (e.g. every six months);

What not to do

  • create or use accounts shared by several people;
  • give administrator rights to users who do not need them;
  • grant a user more privileges than necessary;
  • forget to remove temporary authorisations granted to a user (e.g. for a replacement);
  • forget to delete the user accounts of people who have left the organisation or changed jobs.
  • the procedures to be applied systematically on the arrival, departure or change of assignment of a person with access to personal data;
  • the consequences for individuals with legitimate access to the data in the event of non-compliance with the security measures;
  • measures to restrict and control the allocation and use of access to the processing.

In practice

Pseudonymise data

Pseudonymisation is the processing of personal data in such a way that it is no longer possible to attribute the personal data to a specific natural person without the use of additional information. Such additional information has to be kept separately and be subject to technical and organisational measures.

In practice, pseudonymisation consists in replacing directly identifying data (name, first name, personal number, phone number, etc.) in a data set with indirectly identifying data (alias, sequential number, etc.). It makes it possible to process the data of individuals without being able to identify them in a direct way. However, it is possible to trace the identity of these individuals thanks to the additional data. As such, pseudonymised data is still personal data and is subject to the GDPR. Pseudonymisation is also reversible, unlike anonymisation.

Pseudonymisation is one of the measures recommended by the GDPR to limit the risks associated with the processing of personal data.

Encrypt data

Encryption is a process which consists of converting the information into a code in order to prevent unauthorised access. That information can only be read again by using the correct key. Encryption is used to guarantee the confidentiality of data. Encrypted data is still personal data. As such, encryption can be considered as one of the pseudonymisation techniques.

In addition, hash functions, can be used to ensure data integrity. Digital signatures, not only ensure integrity, they also make it possible to verify the origin of the information and its authenticity.

Anonymise data


Personal data can be rendered anonymous in such a manner that the individual is not or no longer identifiable. Anonymisation is a process that consists in using a set of techniques to make personal data anonymous in such a way that it becomes impossible to identify the person by any means that are reasonably likely to be used.

Anonymisation, when implemented properly, may enable you to use data in a way that respects the rights and freedoms of individuals. Indeed, anonymisation opens up the potential for the reuse of data that is initially not permitted due to the personal nature of the data, and can thus allow organisations to use data for additional purposes without interfering with the privacy of individuals. Anonymisation also makes it possible to keep data beyond the retention period.

When the anonymisation is implemented properly, the GDPR no longer applies to the anonymised data. However, it is important to keep in min d that the anonymisation of personal data in practice is not always possible or easy to achieve. It has to be assessed whether the anonymisation can been applied to the data at issue and maintained successfully, considering the specific circumstances of the processing of the personal data. Additional legal or technical expertise would often be needed to successfully implement the anonymisation in compliance with the GDPR.

In practice

Specific situations

  • Issue a telework security policy or at least a set of min imum rules to be respected, and communicate this document to employees according to your internal regulations;
  • If you need to change the business rules of your information system to enable teleworking (e.g., change the clearance rules, remote administrator access, etc.), consider the risks involved and, if necessary, take steps to maintain the level of security;
  • Equip all your employees' workstations with at least a firewall, anti-virus software and a tool to block access to malicious sites. If the employees can use their own equipment, provide guidance to secure it (see "Security measures for BYOD");
  • Set up a VPN to avoid direct exposure of your services to the Internet whenever possible. Enable two-factor VPN authentication if possible;
  • Provide your employees with a list of communications and collaboration tools appropriate for remote work, which guarantee the confidentiality of exchanges and shared data. Choose tools that you control and ensure that they provide at least state-of-the-art authentication and encryption of communications and that the data in transit is not reused for other purposes (product improvement, advertising, etc.). Some consumer software can transmit user data to third parties, and is therefore particularly unsuitable for corporate use.


Security measures for BYOD (Bring your own device)

With the development of BYOD, especially in SMEs, the boundary between professional and personal life is disappearing. Even if BYOD does not represent, in itself, a processing of personal data, it is still necessary to ensure data security.

The acronym "BYOD" stands for "Bring Your Own Device" and refers to the use of personal computer equipment in a professional context. An example of this would be an employee who uses personal equipment such as a computer, tablet or smartphone to connect to the company network.

The possibility of using personal tools is primarily a matter of employer choice and national legislation. The GDPR requires that the level of security of personal data processed be the same, regardless of the equipment used. Employers are responsible for the security of their company's personal data, including when it is stored on terminals over which they have no physical or legal control, but whose use they have authorised to access the company's IT resources.

The risks against which it is essential to protect your organisation range from a one-off attack on the availability, integrity and confidentiality of data to a general compromise of the company's information system (intrusion, virus, etc.).

Example checklist


Testo del 2023-04-28 Fonte: GPDP


i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.

Ricevi gli aggiornamenti su Secure personal data | European Data Protection Board e gli altri post del sito:

Email: (gratis Info privacy)

Nota: il dizionario è aggiornato frequentemente con correzioni e giurisprudenza