Network segmentation
Divide networks into different segments
One technical security measure that the company can take to protect personal data under the GDPR, is to divide networks into different segments. It can be wireless and wired networks. In addition, segmentation can take place physically or virtually. This is called network segmentation. In other words, to divide computer networks into different sub-networks, which means that the sub-networks form their own network segment. Thus, the company restricts contact between the networks that do not need to have any communication between each other.
Protecting personal data is dividing networks into different segments (Network Segmentation)
In simple terms, network segmentation involves dividing a network into different segments so that they cannot communicate with each other. One reason for doing this is to protect personal data that the company processes in the networks from unauthorized access. The same applies to unauthorised disclosure. In addition, it can increase availability by making services available when needed because network segmentation can increase performance and reduce network load.
How businesses can work with network segmentation
Analyze the need
When a company makes an analysis of network segmentation, the company should first analyze what exactly they should segment. The same applies to the manner in which segmentation is to take place.
Document the analysis
To show that the implemented network segmentation is made in accordance with GDPR, it is good to document the analysis in writing and establish a policy. Especially if it concerns sensitive personal data or other personal data worthy of protection.
Test the segmentation
It is important to test the network segmentation and the set rules, to make sure that the traffic is working and implemented correctly. For example, test to ensure that the data does not flow incorrectly between subnetworks.
Draw up instructions
To make it easier for the employees who work with the network and ensure that they work in accordance with the GDPR, the company should draw up written instructions. It is also good to offer appropriate training and knowledge about network segmentation and data protection in general.
Log the traffic
By logging traffic within the segmented networks, the company can follow up and make sure that, for example, one of the networks has not been affected by malware, such as viruses. The company may also monitor whether personal data has been leaked or been unauthorized altered or otherwise tampered with.
More information about GDPR
Authentication
Authentication is another type of technical security measure that may be implemented to protect processed personal data. It may be necessary for users of a digital service to confirm their identity, prior to logging in. Depending on the case, the authentication process may vary. In some cases it may be appropriate, for example, to use a personal eID or similar, while in other cases a username and password may be sufficient.