Requirements for IT systems processing personal data
We have just over two weeks until the new regulations on the protection of personal data enter into force. Adopted by the European Parliament in April 2016, the General Data Protection Regulation, known as the General Data Protection Regulation (GDPR), will come into force on May 25, 2018.
Lawyers actively support their clients in adjusting formal requirements to the new regulations. However, the preparation of appropriate templates of information clauses, questions for consents to the processing of personal data and contracts for entrusting or sharing data is not everything. It is important to adapt the technical infrastructure to the new realities along with formal and legal activities. And here a question often arises that lawyers are not able to answer: "what requirements must the IT infrastructure meet to be considered compliant with the provisions of the GDPR"? This problem stems from the fact that, unlike the "old" Act on Personal Data Protection, the new regulations do not indicate specific technical requirements. In the entire Regulation, there are only general conditions relating to the safety of infrastructure. So how do you adapt to them? We will try to help you find the answer to this question.
So what are these general requirements? Article 32 of the GDPR, which specifies that the personal data administrator implements appropriate technical measures to ensure a level of security corresponding to the risk, is the most relevant to this topic. It asks, inter alia, attention to solutions such as:
- Personal data encryption
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to quickly restore the availability and access to personal data in the event of a physical or technical incident
- Regularly testing, measuring and evaluating the effectiveness of technical measures to ensure the security of processing
Article 32 also says that when assessing whether the degree of security is appropriate, the risks associated with accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data should be taken into account in particular.
Moreover, the Regulation significantly emphasizes the requirement of accountability. So what actions can we take to make sure that the level of security and resistance to attempts of unauthorized access to data is sufficient? We can rely here on good practices and guidelines that were included, inter alia, in the implementing acts to the current Personal Data Protection Act. The basic control and configuration activities that are recommended to be performed include:
- Verification of firewall rules in terms of the possibility of obtaining unauthorized access to services,
- Sealing outbound communication to reduce data leaks
- Configuration of rules for monitoring and reporting connections initiated from internal and external networks,
- Verification of the configuration of services such as smtp / pop3 / imap, FTP, WWW in terms of sending authentication data using unencrypted channels,
- Implementation of solutions for automatic updating of system and utility software,
- Implementation of solutions for centralized authorization management,
- Implementation of solutions for the management and monitoring of remote sessions (e.g. established by external service companies),
- Implementation of backup systems allowing for automatic verification of tasks and reporting.
Failure to do any of the above-mentioned actions may, consequently, lead to serious incidents related to the breach of personal data security. In the case of an inspection by the Office for Personal Data Protection or internal audit, it would be difficult to explain the failure to do so. It is also worth remembering that in accordance with the new requirements, each security incident should be reported to the Office for Personal Data Protection within 72 hours, which may result in an inspection. In the event of a serious risk of violating the rights and freedoms of persons whose data we process, we are also obliged to notify them about this incident. It is therefore worth taking care of the basic safety issues in advance.
The GDPR is definitely not a revolution. The principles described in the regulation have been known as good practice for a long time. They are based on, inter alia, ISO 27000 family standards related to information security management. Preparing for the new regulations is therefore a good opportunity to increase the overall security level of your organization.