A recently published study from ENISA — the European Union Agency for Network and Information Security which advises member states and private sector organizations in implementing EU legislation, provides guidelines on how to take the appropriate measures to comply with the General Data Protection Regulation (GDPR). ENISA’s recommendation includes two-factor authentication and mobile application security as technical measures in high-risk situations.
The GDPR becomes the main legal framework for data protection in the EU and represents a significant step towards enhancing the privacy of EU citizens. Additionally, GDPR is applicable to any company offering goods or services to EU citizens, regardless of its size, location or industry, dealing with personal data as a data controller or as a data processor.
Significantly, and as defined in Article 32 of the GDPR, one of the core obligations for these companies is applying technical measures to secure this personal data by stating that data controllers and processors “shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
The implications and costs of non-compliance can be substantial — up to 4% of annual global turnover or €20 Million, whichever is greater. They are also obliged to report all breaches within 72 hours, risking significant brand damage in return.
ENISA Guidelines to Comply with GDPR
ENISA’s study on how to adopt organizational and technical security measures in order to achieve compliance with GDPR, makes use of a risk-based approach to define the appropriate measures in different areas.
For example, in the area of access control and authentication, ENISA recommends implementing two-factor authentication in high-risk cases and in certain medium impact cases, as follows: “Two-factor authentication should preferably be used for accessing systems that process personal data. The authentication factors could be passwords, security tokens, USB sticks with a secret token, biometrics etc.”
In the area of mobile devices, ENISA mentions that mobile devices increase the exposure to theft and accidental loss. Moreover, they are likely to be used for personal purposes, so special care must be taken to ensure that business-related data is not compromised. This results in the guideline that “two-factor authentication should be considered for accessing mobile devices, and personal data stored at the mobile device should be encrypted.”
Finally, when it comes to application development, ENISA recommends ensuring that personal data security is taken into consideration. During the development lifecycle, this encompasses “best practices, state of the art and well acknowledged secure development practices, frameworks or standards should be followed,” even for low risk cases.
With less than one year before GDPR provisions come into force, organizations are only starting to consider the changes they should undertake and to broaden the perspective of their existing information security and business strategy.
However, the lead-time of change required and how these changes will affect your organization are unpredictable. That is why ENISA recommends the EU to increase communication and to raise awareness in order to convince the organizations to take action on GDPR.
As a result, I am convinced this ENISA report to be a good starting point for organizations to evaluate their readiness to comply with it.