14 Nov Security as a Business – ICT Legal Consulting (ICTLC) attends the conference of the European Union Agency for Network and Information Security (ENISA)

Background

On Monday 8 October), ICT Legal Consulting ICTLC’s founding partner Prof. Paolo Balboni presented at a conference of the European Union Agency for Network and Information Security (“ENISA”) on the Security of Personal Data Processing, organised together with the Digital SME Alliance, and the Hellenic Data Protection Authority (“HDPA”), in Athens, Greece. ENISA is the European Union Agency for Network and Information Security, a centre of expertise for cyber security in Europe that works closely with Member States and different private sector organisations to give advice and solutions. Throughout the day, many experts shared their advice and journey of complying with the General Data Protection Regulation (“GDPR”), focusing on Small and Medium Enterprises (“SMEs”), and we will summarise their valuable insights below.

Main Issues

The Head of the Unit of Data security and Standardisation at the European Union Agency on Network and Information Security (“ENISA” or “the Agency”), Andreas Mitrakas, emphasised the importance of creating a data protection framework commensurate with the risks perceived – method that places a risk-based approach at its centre. Also, Mr. Mitrakas pointed out the efficiency of adhering to Codes of Conduct or Certifications, as a means of demonstrating compliance as an SME. On a similar note, the Digital SME Alliance may be of interest to SMEs since it is the largest network of SMEs around europe, which has created an ecosystem that can develop SMEs’ certifications, so-called – small business standards” (“SBS”) that are more favorable for SMEs and implement the GDPR based on sectors.

Prof. Paolo Balboni (founding partner of ICT Legal Consulting) presented a wholistic approach of the selected tools and best practices available in the market in order for SMEs to comply with the GDPR, starting from the principle of data protection by design and by default, which is a principle that involves all the stages of a processing activity – the lawfulness and fairness of the processing, the transparency to the data subject, the collection of personal data for specified, explicit and legitimate purposes, the minimisation, accuracy, integrity and confidentiality of the personal data, and the appropriate storage limitation. In order for a company to ensure that it has taken all the necessary compliance measures, the Information Commissioner’s Office – the Data Protection Authority of the UK, (“ICO”) has created the Data Protection Self-Assessment Toolkit. Additionally, the Hellenic Data Protection Authority has drafted a 10-step preparation guidance, the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (“CNIL”) has drafted a Guide to Assist Processors, meanwhile the Italian Data Protection Authority, the Garante, has drafted a Guide for the Application of the GDPR.  These tools give preliminary guidance to companies acting as both data controllers and data processors.

Following on, Giuseppe D’Acquisto, the Executive Officer of the Italian Data Protection Authority, presented a new security paradigm- “security integrated into the business”, where the approach to security is different. Instead of looking at security as a threat to business needs, companies should consider security as an integral dimension to do business. Mr. D’Acquisto informed the audience that effectively around 70% of SMEs do not get the chance to negotiate their contracts with their security providers, resulting to a de facto inability – as a data controller- to predict malfunctioning and encounter risks of any kind. However, SMEs are also requested to follow the risk-based approach to be aware of what data-security risks they are open to and can then select adequate service providers according to their security goals. Therefore, Mr. D’Acquisto advised that when the security measures are based on the risk-based approach and used as a core aspect to do business, costs will be reduced, and compliance will be tailor-made and more efficient. Lastly, Mr. D’Acquisto suggested that ENISA is working on a project on pseudonymisation that may serve useful in the near future.

Dr. Prokopios Drogkaris, as a Network and Information Security Expert in ENISA, reiterated that security is not a “one size fits all” matter and provided a useful overview of ENISA’ Guidelines, such as the Handbook on Security of Personal Data Processing and the Guidelines for SMEs on the Security of Personal Data Processing.

A more technical perspective was presented by George Patsis, the CEO of Obrela Security Industries, who shortly explained how a company can move from prevention to resilience. As Mr. Patsis mentioned, the probability that a data breach will occur is 1, meaning that at some point in a business’ lifetime a data breach incident will be experienced. Therefore, the old question of “how can we prevent the data breaches?”, switches focus to “how can we create a resilient environment in order to handle data breaches more effectively?”. The way to do that is by managing your exposure, firstly by identifying your “attack surface” – an analogy for the opportunities you may allow for a data breach to occur, such as internal storage locations, and the external recipients of personal data (suppliers, partners, vendors). Once this is done, it becomes a matter of cyber resilience: reducing, patching and raising awareness of the attack surface.

The last topic of the conference was the principle of data protection by design and by default – or as Athena Bourka, a Network and Information Security Expert of ENISA, called it “think privacy – design privacy”. Mrs. Bourka presented the 8 step strategy, following ENISA’s Guidelines on Privacy and Data Protection by Design; 1) Minimise, 2) Hide, 3) Separate, 4) Aggregate, 5) Inform, 6) Control, 7) Enforce, and 8) Demonstrate. After following this design plan for all processing activities or future projects to be implemented, the question that remains is to choose the appropriate measures to control the risk at hand. However, the important part is to make privacy a dimension of designing any product, service or project within a company.

Practical Implications

1. A data protection compliance framework must be drafted based on the risk-based approach – companies should evaluate the risks inherent in the processing activities and implement a framework to mitigate those risks;
2. Adhering to codes of conduct or certifications is an efficient method to demonstrate compliance – companies may search for certifications or codes of conduct that apply to the kind of processing activities they conduct and apply for their approval to certification bodies;
3. SMEs are also requested to follow the risk-based approach to be aware of what data-security risks they are open to and can then select adequate service providers according to their security goals;
4. In the long term, a company should aim for resilience –  moving from prevention to resilience may be a difficult task but it will be the most powerful method to handle data breaches and cyber security risks in general;
5. Companies should “think privacy – design privacy” – privacy should be implemented from the earlier stage of designing projects, processes, new goods and services.