PodMaster.it, Social media non vi temo - Ascolti tra Marketing e AI
documento | 2023-04-28 · NEW: ![]() |
Secure personal data | European Data Protection Board |
abstract:
Link: https://edpb.europa.eu/sme-data-protection-guide/s
analisi:
index:
Indice
- Unauthorised or accidental access to dat
- Unauthorised or accidental alteration of
- Loss of data or loss of access to data -
- Determine the existing or planned measur
- Estimate the severity and likelihood of
- Implement and verify planned measures
- Conduct periodic security audits:
- Set up an internal policy
- Information classification
- Specific confidentiality clause
- Automatic session lockout
- Regularly updating software;
- Automatically update security
- Encourage the storage of user data on a
- Limit the connection of mobile media
- To go further
- Intrusion alarms
- Install smoke detectors and firefighting
- Protect keys
- Distinguish building areas according to
- Maintain a list
- Access
- Physically protect the computer equipmen
- Pseudonymise data
- Encrypt data
- Anonymise data
testo:
E estimated reading time: 11 min
The consequences of a lack of security can be serious: companies can see their image degraded, lose the confidence of their consumers, have to pay large sums of money to recover from a security incident (for example following a data breach) or have their activity stopped. Secure personal data is in the interest of both individuals and the organisations processing the data. In order to assess the risks generated by each processing operation, it is first advisable to identify the potential impact on the rights and freedoms of the individuals concerned. While organisations have to protect their data (personal or not) for their own interest, the following information focuses on the protection of individuals’ data. Data security has three main components: to protect the integrity, availability and confidentiality of the data. Therefore, organisations should assess the risks for the following: It is also advisable to identify the risk sources (i.e. who or what could be at the origin of each security incident?), taking into account internal and external human sources (e.g. IT administrator, user, external attacker, competitor), and internal or external non-human sources (e.g. water damage, hazardous materials, non-targeted computer virus). This identification of the risk sources will allow you to identify the potential threats (i.e. what circumstances could allow a security incident to occur?) on supporting assets (e.g. hardware, software, communication channels, paper, etc.), which can be: It is also advisable to: The GDPR introduces the notion of a "data protection impact Assessment (DPIA)", which is mandatory for any processing of personal data likely to result in high risk for individuals. A DPIAmust contain the measures envisaged to address the identified risks, including safeguards, security measures and mechanisms to ensure the protection of personal data. Another precaution is to document the operating procedures, keep them up to date and make them easily available to all data handlers concerned. In concrete terms, any personal data processing activity, whether it concerns administrative operations or the simple use of an application, should be explained in a clear language and adapted to each category of handler, in documents to which they can refer. The awareness of internal data handlers can take the form of a document, which should be binding and integrated into internal regulations. The internal policy should particularly include a description of data protection and safety rules. Under-dimensioning or neglecting the maintenance of the server room environment (air conditioning, UPS, etc.). A breakdown in these installations often results in the shutdown of the machines or the opening of access to the rooms (air circulation), which de facto neutralises the security measures. What not to do Pseudonymisation is the processing of personal data in such a way that it is no longer possible to attribute the personal data to a specific natural person without the use of additional information. Such additional information has to be kept separately and be subject to technical and organisational measures. In practice, pseudonymisation consists in replacing directly identifying data (name, first name, personal number, phone number, etc.) in a data set with indirectly identifying data (alias, sequential number, etc.). It makes it possible to process the data of individuals without being able to identify them in a direct way. However, it is possible to trace the identity of these individuals thanks to the additional data. As such, pseudonymised data is still personal data and is subject to the GDPR. Pseudonymisation is also reversible, unlike anonymisation. Pseudonymisation is one of the measures recommended by the GDPR to limit the risks associated with the processing of personal data. Encryption is a process which consists of converting the information into a code in order to prevent unauthorised access. That information can only be read again by using the correct key. Encryption is used to guarantee the confidentiality of data. Encrypted data is still personal data. As such, encryption can be considered as one of the pseudonymisation techniques. In addition, hash functions, can be used to ensure data integrity. Digital signatures, not only ensure integrity, they also make it possible to verify the origin of the information and its authenticity. Personal data can be rendered anonymous in such a manner that the individual is not or no longer identifiable. Anonymisation is a process that consists in using a set of techniques to make personal data anonymous in such a way that it becomes impossible to identify the person by any means that are reasonably likely to be used. Anonymisation, when implemented properly, may enable you to use data in a way that respects the rights and freedoms of individuals. Indeed, anonymisation opens up the potential for the reuse of data that is initially not permitted due to the personal nature of the data, and can thus allow organisations to use data for additional purposes without interfering with the privacy of individuals. Anonymisation also makes it possible to keep data beyond the retention period. When the anonymisation is implemented properly, the GDPR no longer applies to the anonymised data. However, it is important to keep in min d that the anonymisation of personal data in practice is not always possible or easy to achieve. It has to be assessed whether the anonymisation can been applied to the data at issue and maintained successfully, considering the specific circumstances of the processing of the personal data. Additional legal or technical expertise would often be needed to successfully implement the anonymisation in compliance with the GDPR. With the development of BYOD, especially in SMEs, the boundary between professional and personal life is disappearing. Even if BYOD does not represent, in itself, a processing of personal data, it is still necessary to ensure data security. The acronym "BYOD" stands for "Bring Your Own Device" and refers to the use of personal computer equipment in a professional context. An example of this would be an employee who uses personal equipment such as a computer, tablet or smartphone to connect to the company network. The possibility of using personal tools is primarily a matter of employer choice and national legislation. The GDPR requires that the level of security of personal data processed be the same, regardless of the equipment used. Employers are responsible for the security of their company's personal data, including when it is stored on terminals over which they have no physical or legal control, but whose use they have authorised to access the company's IT resources. The risks against which it is essential to protect your organisation range from a one-off attack on the availability, integrity and confidentiality of data to a general compromise of the company's information system (intrusion, virus, etc.).Security: what is at stake?
In practice
Organisational measures
In practice
Set up an internal policy
Other organisational measures
Technical measures
To go further
In practice
In practice
In practice
In practice
Pseudonymise data
Encrypt data
Anonymise data
In practice
Specific situations
Security measures for BYOD (Bring your own device)
Example checklist
Testo del 2023-04-28 Fonte: GPDP
Documento English Edpb Pmi Linee guida Privacydb Wallabag
Link: https://edpb.europa.eu/sme-data-protection-guide/s