Technical measures - GDPR
Authentication is a technical security measure
It may be necessary for individuals to confirm their identity in order to ensure that the right person gets access to systems containing personal data. This is called authentication. When a company needs effective authorization control to prevent unauthorized persons from accessing information, it may be helpful to implement a secure authentication process.
Technical security measure - Authentication
Companies that are subject to the GDPR must implement various appropriate security measures to protect personal data. Below you can read more about authentication, which is a type of technical security measure.
Common type of authentication process
It is common for people to create a user account with a password that they must use in order to log in to, for example, a system. It is a type of authentication, but not always secure enough. Therefore, it is common for a user to also need to supplement the login with something further in the authentication process. For example, if a person is going to log in to their bank to transfer money to someone, the person may need to verify their identity by also providing a security code.
What does the Principle of Accuracy mean?
Examples of more secure ways of authentication than just usernames and passwords
- eID: According to an EU directive, all countries in the Union must implement an application that citizens can use to confirm their identity digitally, a so-called eID. It is a safer way for people to confirm their identity, than simply by logging in via username and password.
- Fingerprints: Another way for more secure authentication is that, for example, an employee who is going to log in to a system with sensitive personal data, needs to log in to the system with a name, password and fingerprint.
How businesses can use authentication in practice
Needs
The first thing a company should do is analyze the need for authentication. For example, what types of personal data may need to be protected through a secure authentication process.
Documentation
It is good to always document the company's data protection work, as it makes it easier to prove that the company complies with GDPR in practice. If the processing concerns personal data worthy of extra protection, it is particularly important, for example, to create a policy on their processing. In addition, it is good to draw up written instructions and provide appropriate training to employees.
User accounts
It is good if all users have their own user accounts, instead of sharing a common one. In this way, the company can more easily see who has done what in the system, and check that personal data is processed correctly. In addition, it is good if the passwords are complex and strong. If the company needs a more secure authentication process with, for example, smart cards, these should also be individual per user.
Authentication process
The more important the personal data processed, the higher the security requirements. Therefore, it is important that the authentication corresponds to the class level of them.
Logging
For security reasons, it is a good idea to log failed login attempts. The same applies to successful logins.
Too drastic measures
Please note that it is not always appropriate to implement too drastic measures related to identification. For example, it may be disproportionate to request a person to submit a photocopy of their passport when deleting their user account on a free service.
More information about GDPR
Backup is another technical measure
To avoid personal data being deleted unlawfully, it is good to back them up. For example, by storing the copies on a cloud service, so that the company is able to recover lost personal data if necessary. If personal data is deleted unlawfully or by mistake, for example because a computer that stores personal data is affected by a virus, it is a personal data breach. Therefore, having backups of stored data is a preventive technical security measure. Please note that it is important to protect the backups, just as companies need to protect the originals.