Increasing cyber security requirements: the latest trend in privacy
If you follow our blog posts, you may have noticed a theme emerging over the past months: increasing cyber security requirements. We recently published an article outlining the potential for Australia to introduce more robust cyber security regulation and we highlighted Australia’s first cyber security case. In this post, we’ll take a deeper look at the technical requirements outlined in the new SCCs. Then, we’ll outline how these can be used to develop stronger technical cyber security measures at your organisation.
Increasing Cyber Security Requirements Under the SCCs
The GDPR requires any data transferred out of the EU to be protected by measures that are essentially equivalent to the EU standard. The supplementary measures, including the technical measures outlined in Annex II of the new SCCs, have been developed to help organisations meet that requirement.
Examples of possible supplementary measures included in Annex II are:
- Pseudonymisation and encryption of personal data
- Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
- User identification and authorisation
- Protection of data during transmission
- Protection of data during storage
- Ensuring physical security of locations at which personal data are processed
- Ensuring events logging
- Ensuring system configuration, including default configuration
- Internal IT and IT security governance and management
- Certification/assurance of processes and products
- Data minimisation (see our blog post on data minimisation in practice)
- Ensuring data quality
- Limited data retention
- Ensuring accountability
- Allowing data portability and ensuring erasure.
Examples of Effective Cyber Security Measures
The European Data Protection Board (EDPB) released their updated recommendations in the days following the publication of the new SCCs. These recommendations provided specific examples of ‘effective’ measures.
For businesses that are required to comply with the SCCs, these serve as a useful cynosure. Organisations that aren’t required to comply with the SCCs may still draw best practices from these examples. As we outlined above, there is a global trend emerging in privacy regulation requiring greater technical cyber security measures. Consumer sentiment reflects the growing demand for better cyber security too.
These example scenarios include:
Encryption as an effective technical measure for data storage and backup (where data access in the clear is not required).
Under the new SCCs, data exporters are likely to be able to transfer encrypted data to third countries for storage where the data importer is verified and there are effective encryption measures in place.
The EDPB’s guidance refers to the following encryption measures specifically:
- the encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and can be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them,
- the strength of the encryption and key length takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved,
- the encryption algorithm is implemented correctly and by properly maintained software without known vulnerabilities the conformity of which to the specification of the algorithm chosen has been verified, e.g., by certification,
- the keys are reliably managed (generated, administered, stored, if relevant, linked to the identity of an intended recipient, and revoked),
- the keys are retained solely under the control of the data exporter, or by an entity trusted by the exporter in the EEA or under a jurisdiction offering an essentially equivalent level of protection to that guaranteed within the EEA.
We wrote previously about an innovative encryption tool we helped develop. You can find the white paper on Cryptoloc here.
Pseudonymisation for data being transferred for use.
Pseudonymisation can be an effective measure for protecting personal data when the data being transferred is intended to be used by the data importer. This covers situations like, for instance, when the information will be used for research purposes.
The EDPB’s guidance goes on to specify the following conditions for pseudonymisation to be considered an effective measure:
- a data exporter transfers personal data processed in such a manner that the personal data can no longer be attributed to a specific data subject, nor be used to single out the data subject in a larger group without the use of additional information,
- that additional information is held exclusively by the data exporter and kept separately in a Member State or in a third country, by an entity trusted by the exporter in the EEA or under a jurisdiction offering an essentially equivalent level of protection to that guaranteed within the EEA,
- disclosure or unauthorised use of that additional information is prevented by appropriate technical and organisational safeguards, it is ensured that the data exporter retains sole control of the algorithm or repository that enables re-identification using the additional information, and
- the controller has established by means of a thorough analysis of the data in question – taking into account any information that the public authorities of the recipient country may be expected to possess and use – that the pseudonymised personal data cannot be attributed to an identified or identifiable natural person even if cross-referenced with such information.
It is important to consider, however, that pseudonymisation doesn’t always protect the data subject. In some cases, the data importer (or third parties who intercept or otherwise receive the data) can use techniques like brute attack, guesswork, or dictionary search to essentially reverse the pseudonymisation.
For more information about robust pseudonymisation measures, read this guidance from the European Union Agency for Cybersecurity (ENISA): https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices/at_download/fullReport
Developing Resilient Cyber Security Measures at Your Organisation
Whether or not your organisation is required to consider the SCCs for cross-border data transfers from the EU, you should be starting to reflect on the cyber security measures you have in place to protect the personal data you hold. The technical measures from Annex II (referred to above) are a good starting point. But organisations must first identify the personal data they collect, store, use and transfer, and the must understand organisational data flows.
If you need assistance mapping data flows within your organisation or developing more robust cyber security measures to protect personal information and to comply with the EU’s SCCs, get in touch. Privacy 108 has extensive experience in identifying, managing and streamlining organisational data flows and in developing resilient technical protections.