GDPR and Cyber Security - A successful duo for Personal Data Protection
European Cyber Security Month (ECSM) is marked in October and is coordinated by the European Union's Cyber Security Agency (ENISA) and the European Commission since 2011. ECSM is a campaign to raise awareness among citizens about cyber risks in their daily online activities
At the European Union level, we have EU Directive 2016/1148 transposed in Romania by Law 362/2018, legal instruments that set out the measures to ensure cyber security.
The competent authority in Romania for national public cyberspace and for the management of cybersecurity risks and incidents is the National Cybersecurity Authority established by GEO 104/2021.
Under this umbrella of Cyber Security Month, it is useful to recall the interconnectivity between the two big steps impacting the protection of our personal data: Cyber Security and GDPR Regulation.
More specifically, in terms of what these particular sets of laws actually mean, GDPR (Regulation 679/2016 on the protection of personal data) and cyber security are closely related and work together to ensure the confidentiality, integrity, and availability of sensitive data within a company. While data protection under the GDPR refers to a broader spectrum of situations where personal data is involved, cyber security through the systems in place is a technical measure that ensures a high level of protection for these categories data.
Examples of connection between the two measures within a company:
Data privacy:
Data protection: Data protection measures, strong privacy measures such as encryption, and access controls, help to protect sensitive data by ensuring that only authorised persons can access it.
Cyber security: Cyber security measures, such as firewalls and intrusion detection systems, prevent unauthorised access to the network and systems, which in turn helps protect data privacy.
Data integrity:
Data protection: data integrity mechanisms such as digital checksums and digital certified signatures.
Cybersecurity: Cybersecurity controls such as antivirus software protect against malware and other threats that could alter data.
Data access:
Data Protection: Data backup strategies ensure data availability in the event of hardware failure or data loss.
Cybersecurity: Includes incident response plans and recovery procedures in case of security incidents, and helps maintain access to data even in the event of cyber-attacks or other security disruptions.
Access control:
Data Protection: Role-based access control and data classification systems help manage who can access and modify personal data, reducing the risk of data breaches.
Cyber security: Firewalls and invasive detection systems prevent unauthorised access to network resources and systems, helping to control access.
Incident response:
Data Protection: Security Impact Incident Response Plans define how to manage and report incidents to minimize their impact.
Cyber Security: Cyber Information Incident Response Plans address how to manage security incidents, including data breaches, and recover effectively from them.
GDPR is specifically designed to safeguard personal data, whereas cybersecurity addresses a broader spectrum of potential threats and vulnerabilities that could jeopardize the integrity of such information. The combined implementation of GDPR and cybersecurity measures enables companies to mitigate risks, safeguard sensitive data, and uphold customer trust in their core services.