4 lessons we learned from GDPR in 2018
February 5, 2019
In 2018, we have observed GDPR entering into force, the hectic efforts of companies to become compliant, and the first fines rolling in across Europe. What can we learn for the future from the first 8 months of GDPR?
- Get your data security basics straight: Encrypt passwords and implement logical access control
It has been generally accepted for some time that passwords should be sent over any network, in particular the Internet, only in an encrypted form (e.g., using HTTPS). As regards the unencrypted storage of passwords, IT security experts have long argued that this practice, too, poses an unacceptable security risks. The clear recommendation is therefore to only store passwords in an encrypted fashion.
The second basic data security rule is logical access control. This requires three distinct steps:
- Identification: The user has to disclose his or her identity. Any system that allows users to log in using accounts such as “test” or “admin” already fails this basic requirement.
- Authentication: The user’ s identity is verified, typically using one or two of the following three factors:
- something that the user knows, such as a password
- something that the user has, such as a key or token
- something that the user is (i.e., biometrics).
- Authorization: Once the user’s identity has been verified, the user is granted access only to the data that the user needs to perform his or her job duties (need-to-know principle).
- Cooperate with authorities
The case of Knuddels.de from Germany proves that full cooperation with authorities may significantly reduce the financial penalty imposed. In particular in cases where the DPA will learn of the breach anyhow – e.g., because data breach notification requirements are triggered – full cooperation may reduce the overall regulatory risk significantly.
- “Old” types of violations will still be prosecuted
With the introduction of the GDPR, much attention has been put on cutting-edge technologies. However, the CCTV case from Austria demonstrates that old-fashioned violations still matter. After all, old-fashioned technologies are well understood by data protection authorities, making them a low-hanging fruit from the enforcement perspective. Companies should therefore continue to keep an eye on “old” data processing operations, such as CCTV systems.
- Focus on Sensitive Data
The processing of sensitive data, for instance, large amounts of health data, is associated with a high enforcement risk. Given that the unlawful handling of such data is of great concern for large parts of the population, data protection authorities will assign a high priority to enforcement issues concerning sensitive data. When collecting large amounts of sensitive data, companies should therefore focus significantly on compliance with GDPR.