Businesses understand the real challenge that it now entails, to do everything possible to ensure the security of their user's personal data.
In view of the large fines that are recently imposed on companies by the UK data protection authority for their breaches under the rules applicable to their management, the warning is significant.
The European standard that has been in force for a few years now, the General Data Protection Regulation, requires companies to take all necessary measures, whether organisational, technological or professional, to ensure that personal data under their management, clearly under their responsibilities, is not reached or altered in any way. Under which they will be sanctioned. All this applies according to the risk, therefore and the scope of the treatment and the sectoral realities.
This article will also interest you: About 40% of detected vulnerabilities may be disclosed
Clearly, it is all a matter of apprehension when we talk about the scrutiny requirements of the general data protection regulation. This means that the obligation that loses a large company will not be the same as on a small business in terms of cybersecurity data protection.
In order to assist companies with this obligation, the data protection authorities in each country tend to publish documents on a regular basis explaining how to ensure the minimum amount of IT security. It is not uncommon for some basic measures to be formulated such as:
– The use of antivirus solutions
– Systematic update of operating systems and software
– Making backup or backup to make it easier to recover software and data
– Use the HTTPS protocol to make this website work
– Use firewalls for hardware or software
– Develop a physical security system through the determination and limitation of access to terminals by means of physical authentication such as badges, or biometric measurement
– Set up access systems by single identifier per user and authentication system
– Set up a data encryption system
– Use the anonymization and pseudonymization system
In the face of corporate failures, data protection authorities are carrying out methods of sanctions. Generally these are sanctions. We remember when 2020, several companies were sanctioned for example, the British airline Airlines, forced to pay loan of 20 million as a fine. "Failures to the RGPD can be subject to administrative fines of up to 20 million euros or 4% of the total annual global turnover of the previous year, with the highest amount retained. On 16 October 2020, the ICO fined another airline, British Airways, a record 20 million pounds for data breach and breaches of the RGPD's safety principle.
The decisions of the UK Data Protection Authority are a serious warning to keep it up to date and ensure the security, availability, authenticity, integrity and confidentiality of personal data. comments Guillaume Rue, associate lawyer at Cairn Legal. "For example, in 2020, following data breaches, the ICO (UK ODA) imposed fines of 1/2 million pounds on two large companies. In both decisions, the ICO listed the numerous security breaches and, among them, the fact that their computer system was hosted on an outdated and vulnerable operating system, which was no longer supported by the supplier. This meant that this operating system was deprived of any technical support to deal with problems, software updates and especially security updates or fixes. »
Although there is no material evidence that the obsolescence of the operating system is the cause of any computer incident infringing personal data, the BRITISH data protection agency has deduced that operating in this way is literally a breach of the general regulation of personal data. Indeed, an outdated operating system and an open door to computer attacks. And this is clear and clear for anyone in the IT industry.
Now access an unlimited number of passwords: