“Confidentiality is the essence of being trusted”. The General Data Protection Regulation (GDPR) states that controllers and processors must ensure appropriate security of personal data, including against unauthorized or unlawful processing, accidental loss, destruction or damage, by implementing appropriate technical and organizational measures.
When data subjects share their personal data, there is a reasonable expectation of security that only the necessary people will have access to that information. They trust that companies will be able to do this. Failing to do so will increase customer distrust. In addition, regulators are likely to penalize you for this as well.
Imagine a hospital that is hit by a ransomware attack. The hacker steals the data and denies access to all the doctors in the hospital. As a result, they can not access the charts with the patients’ information and treat them properly. Such a situation can not only have financial consequences, but also life-threatening ones.
Therefore, data breach prevention should be at the top of every organization’s to-do list.
When deciding what measures are appropriate to ensure data security, you need to conduct a risk assessment of the information. You should review the personal data you hold and how you use it to assess how valuable, sensitive or confidential it is.
You should also consider the following:
- The nature and extent of your company’s premises and computer systems;
- the number of your employees and the extent of their access to personal data; and
- Any personal data held or used by a data processor acting on your behalf.
You need to develop a culture of security awareness in your organization and create policies and controls to enforce them (e.g., Data Breach Policy, Business Continuity Policy, Password Policy, and Guidelines). Technical controls are also a must. Antivirus, encryption, pseudonymization, access controls, and password managers.
In summary, complying with the principle of integrity and confidentiality means that you should do the following:
- Create policies and controls to enforce them – organizational measures;
- Use all possible cybersecurity tools – technical measures.
To learn more about GDPR principles, don’t forget to read our previous article.
Have any doubts? Leave a comment below or contact us today!