Ensuring the confidentiality and security of personal data is no longer an option in 2018. The General Regulation on the Protection of Personal Data reinforces the requirements in this area. For the sake of consumers ... and brands.
The massive leak of Uber data, those of 50 million customers, revealed in November 2017 ... the recent scandal Cambridge Analytica, or 87 million data of Facebook users unknowingly recovered by this firm that worked for the US President Donald Trump's campaign: the subject of data security is more relevant than ever. With cyber attacks, theft or fraud of personal data is even among the top five risks that the world must prepare to face in the next ten years, according to the Global Risk Report 2018 published by the World Economic Forum.
This is without counting on the arrival of the General Regulation on Data Protection (GDPR) on May 25, 2018. The text is in the direction of strengthening the security of treatment systems and infrastructure, but also the information to persons and supervisory authorities, in case of the personal data breach. However, the RGPD is not out of the hat, recalls Céline Mas, Associate Director General of the Institute Occurrence, it "follows the 1995 directive." But, she continues, "the RGPD is unprecedented because the text harmonizes European practices previously embodied by the supervisory authorities of each country, with notable differences." This harmonization "simplifies the management of trans-European projects through a shared approach and management", adds Michael Bittan, partner responsible for cyber risk activities at Deloitte.
Appreciate The Risks
"The marks are expected on the analysis of computing resources, the study of their vulnerability and the steps of protection and access control."
The first step, therefore: identify the processing of personal data, processed data, and the media on which they are based - servers, laptops, mobile, operating system, wi-fi, printed document, including. Then, assess the risks generated by each treatment on the rights and freedoms of individuals, identify possible threats and existing or planned measures to address them. "A procedure to test, analyze and regularly evaluate the effectiveness of technical and organizational measures to ensure the safety of processing" must therefore be implemented, says the Regulation. And this, from the collection to the destruction of data, through their storage.
"It is necessary to put in place a data access rights management approach, in order to quickly identify where the leak comes from," adds Céline Mas. Essential, when we know that 78% of them are due to employees internal to the company, intentionally or not - sessions left open, photocopies forgot for example (Quantic.fr).
Camouflage Personal Data
Among the austerity measures as of May 25, 2018: the encryption of personal data, that is to save them, to pass them in a locked and codified manner, and thus to provide the decryption key (s) to retrieve this data. Pseudonymisation is also a solution but may be insufficient if it is possible to identify the person concerned with certain additional information. A good technique is then the hash. The principle: replace the value of the data, the name of the individual for example, by a fictitious value which is a sequence of numbers, letters, and other characters. But, beware, warns Sara El Afia, "not to confuse encryption and hashing, and not to consider the latter as sufficient, because even if it is difficult to reverse, attacks are improving day by day. The anonymization solution, however, remains complex to implement, says Michael Bittan: "At present, this is not part of the priority of our customers for 2018. They are more focused on their roadmap and the realization of the various GDPR projects (cartography, in particular) and will tackle anonymization in 2019 or even 2020. "
Bet On Privacy-By-Design
Article 32 continues on the need to establish the means to ensure the confidentiality and integrity of processing systems, but also the means to restore the availability and access to personal data inappropriate time in the event of an incident. "At any time, the user can ask the brand to account for the use of its data," says the managing director of Occurrence, which must set up a "data bridge", a continuity plan . " All the more, in case of violation of personal data (Article 33), the data controller has 72 hours maximum to notify the CNIL. Without forgetting to inform directly the concerned users if the violation is likely to generate a high risk for its rights and freedoms. Hence the privacy-by-design approach, which "integrates the subject of data security at the source," notes Céline Mas. Sara El Afia adds: "From the beginning, privacy-by-design requires protecting IT resources, data transfers, access rights and awareness of different types of data." Indeed, privacy protection is then integrated into new projects, services or applications as soon as they are designed. "That saves millions of euros," argues Michael Bittan.
