What is ‘data security’?
Cyber attacks are constantly making headlines these days. Cryptolocker attacks capture most of those headlines but under the radar companies just as often fall prey to pure hacking and data theft. Cyber criminals also notice that their online activities yield results: the profits from crime are huge while the odds of being caught are minimal. Also, the days when internal staff were digital illiterates are long gone. In conflict situations they know all too well how to exploit the digital vulnerabilities of their employer. In other words, cyber risks are ever-present and often come from unexpected quarters.
However, guaranteeing data security is one of the cornerstones of the GDPR. Article 5, I., f, article 24 and article 28, 3, e state that the GDPR oblige both the data controller and any processor to take “all appropriate technical and organisational measures” to ensure “appropriate security”, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technology. Cyber security and the GDPR are inextricably linked.
This is without doubt one of the vaguest provisions of the GDPR. What are “appropriate technical and organisational measures” and what exactly is “appropriate security”? For a better understanding we must return to the accountability we described earlier. Any business or department must perform a risk analysis for their internal operation. Based on a ‘risk-based approach’ you must subsequently eliminate the greatest risks first, taking into account the risk but also the technical, financial and organisational possibilities. It is important in this regard to properly document everything. That documentation shows that for every identified risk, you do everything in your power to choose the most ‘appropriate’ solution in light of the context.
So what are those risks and the appropriate technical and organisational measures in a marketing or webshop department? Here are a few classics to illustrate. However, the list is not exhaustive and depends on your specific situation.
- Sharing your password for the Mailchimp or Google Analytics account with everyone in the team
- Keeping those passwords in a file on the company network or on a post-it at the office
- Using your own devices or home networks when accessing online accounts such as Mailchimp, Hubspot or CMS systems, or more in general when processing personal data belonging to the company without taking appropriate safety measures (antivirus, firewall, VPN double authentication, ...)
- The use of Adtech tools without first investigating the GDPR compliance and safety guarantees these tools can offer. Typical points of concern include offering a data processing agreement, data localisation inside or outside the EEA, data protection by design and default, ...
- The use of self-chosen tools or so-called shadow IT by employees without the knowledge of management and/or IT, and without prior risk analysis
- Calling on external partners (email marketing partner, direct mail partner, online marketing partner, ...) without prior guarantees of GDPR compliance in the shape of a data processing agreement