The issue of Data Protection has a close link with Information Security. In particular, with the advent of the European Regulations 2016/679 or GDPR, any individual may claim that his personal data are collected and processed by third parties only in compliance with the rules and principles laid down by relevant laws, both in the European Union and individual national States. The purpose of the legislation is to give, only to the individual concerned, the power to dispose of their data, ensuring the individual control over all information concerning his private life, and providing him the tools to protect this information at the same time.
There are 6 basic principles that regulate data protection:
- Lawfulness, correctness and transparency in the processing of data;
- Limitation of the purposes, the data must be processed only for the legitimate and specific purpose, as well as explicit;
- Minimization of data, data must be adequate, relevant and necessary (not excessive) with respect to the purposes;
- Accuracy, data must be kept up-to-date and complete;
- Restriction of retention, data must be kept only for the time necessary with respect to the purpose;
- Integrity and confidentiality, the data must be processed securely and in such a way as not to undergo alterations or unauthorized access.
Let’s take into account principles 5 and 6 from the point of view of data managed at the IT level. All companies that process personal data (practically all, since we are considering data referred to employees and not only those aimed at marketing) will be required to analyze their processes related to data flows, to organize storage or archiving according to the provisions of the legislation and then delete personal data whenever they are no longer needed. Finally, for what concerns integrity and confidentiality we are considering aspects of reliability of physical or virtual space in which the data are stored, as well as the encryption of that portion of personal data.
In short, it is not enough to defend oneself from external attacks thanks to Firewall, Antivirus, Antimalware… but it is also necessary to take into consideration the internal data management processes and flows, with particular attention to personal data.