🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

GDPR: Understand everything about the principle of security

Home GDPR GDPR: Understand everything about the principle of security

The GDPR is the general regulation on the protection of personal data. When we talk about "data protection" we obviously have to pay particular attention to "data security". But what does this security principle mean in practice?

This is one of the main principles of the GDPR, so we explain everything to you in 5 minutes of reading. Have a glass of water and some popcorn! 🍿

The response to the survey "In the context of the GDPR, a risk is an event which is likely to cause a loss of...? "

To introduce the subject, we offered you a survey on March 1st on our LinkedIn page, asking yourself "Under the GDPR, a risk is an event which is likely to result in a loss of...".

Well done! Out of 222 voters, 87% of you have " The 3 answers ". Indeed, a risk is an event which is likely to cause a loss of confidentiality, integrity and availability.

6 principles to respect for the data controller

Security is one of the 6 main principles that the data controller must respect to implement processing in compliance with the GDPR. ☝️

Indeed, according to article 5.1 of the GDPR, the processing of personal data must meet several principles:

Understand the principle of security

Under the GDPR, the data controller must ensure the security of the personal data it processes. Its objective is to guarantee data integrity and confidentiality. It must therefore identify and measure beforehand the risks incurred by the persons concerned as a result of the processing in question. It must implement appropriate technical and organizational measures with regard to the identified risks. These physical but also logical security measures must be proportionate.

A risk is an event likely to cause a loss of confidentiality, integrity or availability of data. These risks must therefore be qualified and technical or organizational measures put in place to prevent them.

What security principle measures should be implemented? 🧐

Section 32 the GDPR recommends that the data controller and the subcontractor take measures such as:

  • Pseudonymization and encryption of data,
  • Means to ensure data integrity, resilience, availability and confidentiality,
  • Means to restore access and availability of data in the event of an incident within appropriate time frames.
  • A procedure for testing, evaluating and analyzing the effectiveness of techniques to ensure the security of data processing.

More concretely, these may involve physical measures such as regulating access to your premises or access to your files in a secure cabinet. 🗄️

Concerning logical measures (those relating generally to computer and software security measures), you can for example:

  • require regular changes to your passwords.
  • implement a specific authentication process
  • implement a data backup policy.
  • deploy anti-virus protection, penetration testing,
  • process data on a dedicated internal network, etc...

Sanction by the CNIL due to a security breach 🤷‍♂️

In December 2021, the CNIL sanctions the SLIMPAY company to the tune of 180,000€, which offers its customers payment solutions. In 2015, following an internal research project, it stored data. personal, without implementing appropriate security measures. It turns out that said data is freely accessible on the internet. It was only 5 years later, informed by one of its clients, that SLIMPAY realized this data breach which affected 12 million people.

The CNIL finds three breaches following an inspection carried out in 2020. 👇

In terms of security, the supervisory authority notes a breach of Article 32 of the GDPR. In fact, the SLIMPAY server was freely accessible on the internet from November 2015 to February 2020. This contained not only data relating to the civil status of the people (surname, first name, title), but also their email and postal addresses, their telephone number as well as their banking information.

The CNIL also notes a breach of Article 34 of the GDPR (under which the data controller must notify data breaches of which it is aware to the CNIL and in certain cases to the persons concerned). SLIMPAY did not notify the 12 million affected people of the data breach. The supervisory authority recalls that notification of the data breach to data subjects is mandatory if the breach represents a high risk. To measure risk, we must consider:

  • The nature of the data processed,
  • The number of people affected,
  • The possible consequences for people.

Based on these criteria, the CNIL notes that SLIMPAY should have warned the people and could do so because the people affected were identifiable.

Security is therefore an issue for the data controller:

  • both upstream in the organization of its information system and the implementation of processing,
  • only downstream in the event of security incidents and their resolution.

To avoid having to notify the CNIL in the event of a data breach, it is therefore better to anticipate and do everything possible to avoid such incidents.

Data Comply One (formerly Mission RGPD) versus the principle of security

Despite this article, are you having trouble understanding what you need to put in place? It's not clear? You need help?

Our September 21 webinar GDPR and IT security: the challenge of technical and organizational measures "allows you to go further and obtain a clear methodology for auditing your security structure both internally and in your relationships with your service providers. You will also be able to find in this webinar advice on how to implement with Data Comply One (formerly Mission RGPD) the actions and legal documents necessary for your compliance and ensure that a sufficient level of security is maintained throughout the life of your structure.

✅ With Data Comply One (formerly Mission RGPD), you will be able to comply simply and respect your obligations with complete peace of mind. The safety of your treatments will no longer be a problem.

Don't waste any more time, it's so simple!

Request a demo

 

Other articles
on the same subject