GDPR: Application of the Rules is very Expensive
In this respect, the Regulation is very clear. Article 34 states: “Taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purpose of the processing, as well as the risk of varying probability and severity for the rights and freedom of natural persons, the data controller and the controller put in place adequate technical and organizational measures to guarantee an adequate level of security to the risk, which include, among others, where appropriate … ” (see GDPR: the full regulation).
Therefore, a small company with an economic capacity not able to guarantee the adequate level of security, for example, to the processing of genetic data, does not carry out this activity.
On the other hand, it is not expected to be able to have the level of security that can be afforded to reach more structured companies with richer cash. So the Regulation does not require you to take the longest step of the leg, but to structure actions (even at zero financial cost) that allow the company to carry out the treatments it performs, guaranteeing the rights of the persons to whom the data relate apply measures that minimize the risk it entails (see our GDPR eBook).
Furthermore, the principle that the GDPR introduces is that of accountability or the responsibility of the owner to do his utmost to guarantee the rights of the interested parties.
So what’s the Regulation trying to imply?
Let’s put some concrete cases to understand:
- sharing of username and password between employees of the same reality;
- use of the same password for multiple systems, sites, applications;
- use of mnemonic passwords (dates of birth, names of people, common words);
- use of applications, systems without access codes;
- use of post-it with computer username and password, printer, network.
It is evident that:
- if there are no login credentials, a possible attacker will not have to waste time finding them;
- if 2 people share the keys, in case of problems it will be difficult to identify those who may have committed lightness;
- a repeated password is facilitation that is provided to those who want to guess it to carry out actions contrary to the law: I activate myself to find it once and then reuse it in all the systems to which the legitimate holder has access;
- a mnemonic password is the simplest to replicate since it is among the first attempts that any automatic system (and any attacker even not particularly experienced in cybersecurity) performs with a high degree of success (if not total).
What are the risks involved in implementing the Regulation?
In case of control, in all the situations listed, it will be difficult for any company owner to say that he has done everything possible to minimize the risk of the treatment. Eliminating these bad practices has no significant financial cost, especially when compared with the risk involved and the sanction provided in the event of its discovery.
It will be sufficient to start from a responsibility of all people on the value of company data (training activities) and to use programs that are now very widespread and, in many cases, free, called password managers (password managers). They allow you to save all the credentials that must be remembered having to memorize only the one to access the program.
The simple installation of a good antivirus on all systems and its regular updating goes not only with a view to improving data security (and therefore the treatments carried out), but also allows reducing the risk of a device out of service, of the entire company information system with the costs that a production shutdown implies.