Personal data breaches: cybersecurity and the GDPR
Mis à jour : il y a 20 heures
It is common to read statements equating RGPD and cybersecurity. As the RGPD is a regulation involving many issues beyond data security alone, the two topics are obviously distinct but they do have important intersections.
Data breaches of personal data are one of the major intersections.
In the GDPR, a personal data breach is defined in Article 4.12 as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed".
This definition covers a wide range of adverse events involving personal data, including some events that are not naturally understood as a data breach. This is the case of a deletion or loss of availability (even temporarily): even if personal data has not been stolen or disclosed, the impact on the privacy of individuals may be strong. For example, the unexpected loss of your medical data may have consequences for your hospital treatment, so it is difficult to imagine a more critical impact.
This broad coverage of the definition of data breaches makes it a perfect match for the compromise of one of the 3 pillars of cyber security.
Availability : either permanently (deletion) or temporarily (access problem), personal data is no longer available: any processing of this data is therefore temporarily or permanently impossible.
Integrity : the personal data have been improperly modified and are therefore no longer correct. This may involve the deletion of part of the data, but also the modification of the data in a targeted, random or disorganised manner.
Confidentiality : personal data has been disclosed to persons or organisations that are not intended recipients of the data.
For more information on data availability, integrity and confidentiality rules, see our latest blog post.
To ensure data processing compliance with the RGPD, it is important to bear in mind that each of these pillars can be undermined in different ways, increasing the risk of a data breach occurring.
Availability : by overwhelming a server with unnecessary requests, as in denial of service attacks.
Integrity : by escalating privileges, an account with no write access can acquire them.
Confidentiality : sniffing attacks intercept stream data, and can exploit it when it is not encrypted.
Furthermore, in the same way as in cybersecurity, data breaches in the RGPD concern purely accidental manipulations with the same attention as malicious interventions.
Example of a data breach by accidental manipulation : deletion of a database by the execution of queries in the production database by an unqualified person. The implementation of appropriate working environments (test, non-regression, integration and production databases) as well as appropriate permission matrices respond to this example of risk. These elements will be completed by the implementation of back-up systems allowing the recovery of a database if necessary.
Example of a data breach due to malicious intervention : these are the hacks that are frequently reported in the press. There can be multiple types of attacks, whether to steal data, to stop a system from working (denial of service), or to extort finances (president scam, ransomware, etc.). There are dozens of types of attack, and protecting oneself at an adequate level generally requires securing a wide perimeter, ranging from the information system (servers, networks), to software code (application attacks) and to the working practices of employees (behaviour on business trips, use of e-mails, etc.).
Overall, to be compliant with the RGPD with regard to data breaches, an organisation must :
Anticipate and prevent these risks as much as possible,
Know how to identify and manage incidents,
Ensure a transparent management of these breaches.
Prevention : cybersecurity by design makes it possible to design systems whose architecture reduces risks (e.g. partitioning) or whose security is facilitated (e.g. identification by SSO). It is necessary to conduct a security audit, followed by a campaign to implement countermeasures. Support for secure design by specialists makes it possible to achieve security by design. It is important not to forget security by default, where the golden rule is to delete all unused data.
Incident identification and management : the installation of data monitoring systems, such as IDS (Intrusion Detection System) for example, makes it possible to meet the obligation to identify certain incidents. Different monitoring systems should be considered depending on the case. As for incident management, it involves the need to draw up good incident management procedures, to ensure their follow-up and to ensure their effectiveness, for example by regularly carrying out BCP and DRP exercises.
Transparency : each data breach should be listed in the breach register, internal to each organisation, and above all should potentially be reported to the CNIL and communicated to the individuals concerned, depending on the privacy risk associated with the breach. This is not a cybersecurity topic, but it shows the need to control the use made of your data to assess the risks, as well as the importance of managing your cybersecurity with a strong link to the management of an organisation in order to take on the delicate exercise of reporting and communicating to the people concerned. The subject of cybersecurity governance becomes very important here.
Conclusion: technicality and globality
Compliance with the RGPD with regard to data breaches implies a large need for technical cybersecurity, in order to be able to anticipate the dozens of possible attacks, which are becoming increasingly sophisticated.
Moreover, this data security concerns malicious attacks, but also unintentional incidents, and requires the preparation of multiple recovery plans. The whole of an information system is concerned.
This cybersecurity aspect of the RGPD underlines the importance of being accompanied by security experts who know how to secure all aspects of the digital environment to ensure compliance with the RGPD. It also reinforces the importance of effective collaboration between DPO and CISO.
CyberSecura understands these needs: we can support you in all aspects of digital security - infrastructure, applications, governance - as well as in your compliance with the RGPD with our outsourced DPO service.
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox ? Subscribe to our monthly newsletter !
Would you like to discuss your difficulties, your needs, our offers ? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts !