GDPR - EU
Technical measures the company can take to protect personal data
According to GDPR, companies must protect personal data that is processed within the business. This can be done by, among other things, implementing appropriate technical security measures. Below you can read more about some examples of technical measures that the company can take to protect personal data.
Requirements to protect personal data
It is a requirement under the GDPR that the company must protect the personal data that the company processes. The more important personal data, the higher the level of protection to be implemented. The Company also needs to take appropriate technical measures to comply with other data protection rules and other relevant laws.
For example, it should be possible for a data subject to withdraw a given consent in as simple a way as it was given. If the data subject has given his or her consent by clicking on a button, it shall be possible to withdraw the consent in an equally simple way. This means that in this case the company needs to implement such a technical possibility.
This is today a functionality that is often found in cookie plugins, where the website visitor can choose to accept cookies, and then withdraw their consent by denying the use of cookies via the button choices available in the consent-settings.
Here are some examples of technical measures that the company can take to protect personal data in accordance with GDPR
Note that there are many more technical measures than those described below that companies can or should implement, depending on the company’s operations.
Authentication
It may be necessary for a company to prove the identity of a person requesting access to systems processing personal data.
For example, authentication may be required before an employee is given access to certain sensitive data, which is necessary for the performance of his or her duties. However, not all employees have automatic access to this information. In such cases, through certain technologies, the company may first need to confirm the employee’s identity through authentication, before granting access.
Another example is if a person wants to log in to their bank online to send money to someone. Since the login is done remotely over the internet, the bank needs to implement an authentication method to confirm the identity of the person trying to log into the bank account.
Common authentication process
A common authentication process is that a person creates a user account and password that is used to log into a system. However, this is not always enough. For example, it may be necessary to have a more secure authentication process, such as the person needing to log in via both password and fingerprint or other form of multi-factor authentication, such as SMS code sent to the mobile number.
Backup
By backing up data, companies can restore personal data that has been deleted or altered unlawfully. In addition, it can help companies recover more easily from, for example, cyberattacks. Backup can be done at preset intervals, such as daily or hourly.
Please note that it is important to delete the backup files after a certain period of time, so as not to store more personal data than necessary. For example, if a data subject requests to have their personal data deleted, it must also be remembered to delete them from any backups.
Backups should be kept safe, separate from day-to-day processing, and access to backup management should only be granted to a few employees.
Encryption
Encryption of personal data is a common technical measure for companies to take. This means that an encryption key, such as a code or fingerprint along with a mathematical function, makes the data readable. If someone has access to only one of them, it is therefore not possible to read the information. It is especially important to implement encryption when personal data is particularly worthy of protection.
Do not email payslips with sensitive personal data
Before GDPR came into effect, it was common for companies to send payslips to employees via email. However, payslips often contain information about sick leave, which is an indication of health and thus constitutes sensitive personal data under the GDPR. Sensitive personal data must be processed with greater security, and it is therefore not appropriate to email such payslips unencrypted.
Network segmentation
It can be useful to divide data networks into different sub-networks, also called network segmentation. The purpose of segmenting networks is to limit communication between systems, such as computers, servers or the like, so that only information that is necessary flows in that segment. This makes it easier, among other things, to prevent unauthorized access to personal data.
One advantage of network segmentation is that it is possible to assign a user access to only one segmented part, instead of accessing the entire network. In addition, network segmentation can increase the performance of the services in the segment by reducing the risk of network congestion.
More information about GDPR
Organisational security measures
Companies also need to take appropriate organizational security measures. For example, to offer training to employees in data protection, implement authorisation management and establish various written procedures and instructions to employees.