GDPR and best practices for data protection
Let’s get to the heart of the matter: while GDPR mentions that companies and public structures must implement security measures to protect personal data, it says nothing about the techniques or tools to be adapted.
Furthermore, this regulation makes a distinction between personal data (contact details, IP address…) and sensitive personal data that is subject to increased protection measures (for example: health data, biometric data, political opinions, sexual orientation, religion, etc.).
We’ll get into the details that apply to cybersecurity later, but it’s important to know that the GDPR isn’t just about IT security. Indeed, the regulation covers data security whatever the medium: both data present on computers or servers and personal data stored on paper media.
Security must therefore apply as much to the information system as to a company’s physical assets. In other words, under GDPR, a cybersecurity solution is as important as a padlock on a closet.
Given that GDPR does not impose tools or techniques for protecting data, it is more appropriate to talk about best practices for achieving compliance, rather than obligations. In addition to GDPR, certain business industries are also subject to specific requirements.
In the banking and finance sectors, for example, DORA is a European regulation that obliges companies, as well as their service providers, to comply with a number of cybersecurity requirements.
Finally, GDPR requires personal data breaches to be reported to the appropriate authorities, regardless of the nature of the incident.
How can you report an incident involving personal data?
Whether it’s an intrusion on servers or the theft of physical documents containing personal data, authorities must be notified in the event of an incident.
Following a data breach, the teams concerned (DPO if applicable) are responsible for gathering the information required for the declaration, which must be made within 72 hours. Note that certain sectors, such as defense, may be subject to special incident reporting procedures.
Pro tip
Can’t tell the difference between EU recommendations, regulations, and directives? It’s actually quite simple.
- A recommendation, as the name suggests, is not binding. At a European level, countries are under no obligation to transpose it, and it is not binding on member states.
- A directive is not directly applicable but aims to guide local law to comply with it. At a European level, member states are obliged to transpose directives into national law. This is the case with NIS 2, for example.
- A regulation applies to each EU member country, such as GDPR or DORA, for example.
Data protection: a little legal history
The protection of personal data has been an issue in European law since the 1970s.
It became a fundamental right in France and Germany in reaction to the abuses to which the use of personal data led during the Second World War; Northern European countries followed the same approach; Spain and Portugal, for example, enshired it in their respective constitutions. Generally speaking, on the European continent, data protection is seen as a fundamental individual right.
The American vision is quite different: personal data can be used as long as this use does not cause harm or damage. This principle has infused European law since the 1980s (with the UK adopting a hybrid approach to data protection from this period), paving the way for the platforms that have today become the giants of the Internet.
And what about cybersecurity solutions? Like all companies, cybersecurity solution providers have obligations to protect data.
GDPR: cybersecurity solution provider obligations
A cybersecurity software publisher supplies a solution to a customer who uses it. The customer collects personal data via this software, which is then processed to detect and remediate cyber threats.
In the case of a SaaS solution, all data collected and processed by the customer is stored in the Cloud.
Thus, the customer who has an obligation to protect personal data under GDPR is required to pass on these obligations to its third-party service providers and suppliers. Cybersecurity tools must therefore also comply with GDPR.
The same applies to industry-specific regulations, such as DORA for the banking and finance sectors: all subcontractors must comply with specific procedures.
And what about partners or MSSPs for organizations outsourcing the management of their cybersecurity solutions or their SOC?
An MSSP is a subcontractor, and it too must comply with GDPR to meet its customer’s commitments. As such, it must also ensure that the software supplied to its end customer is compliant.
In short, GDPR must be applied across the entire chain, from the solution publisher to end users, including third parties! Remember: your supply chain security is your security.
Need a security solution that meets the challenges of protecting sensitive data?
Discover our On-Premises offer:
