“I do not keep online data, only hard copies.” Do I still need GDPR compliance?
Click below if you prefer to listen.
Lately, many people approach me asking questions related to GDPR. I understand the confusion about the new regulations and am happy to help anyone who wants to understand how it affects their business and how to be complaint. So, I have decided to write a few articles about to common questions I get all the time.
One of the most common statements I hear is the following:
“I do not keep online data, only hard copies.” Do I still need GDPR compliance?
That is a great question.
The short answer is yes. GDPR applies to hard copies (filing systems) as well.
Even though the possibility to have your data stolen by a cyber-criminal is significantly lower if your data is not living online there is still a risk. Obviously, higher threat levels for offline data hacks involve businesses or people who hold very important data. The importance of data in this case is determined by whether it has the ability to generate profit or benefit the cyber-criminal in a way he/she wishes to.
So, your threat levels depend on who you are and how valuable of a target you are. This can be defined only with a threat level evaluation of your business or you accordingly.
That is why GDPR covers offline data as well. You need to safeguard hard copies of data as well. The level of protection for this data is always based on your scale. And your scale is not defined only by the size of you company. It involves many more factors which if you are interested I can analyze in another article. Please let me know with a comment below if you would be interested to know how your scale is defined.
How do we protect physical data?
With infrastructure security. Sometimes we call it physical security as well, but the term physical security is often confused with one component of infrastructure security, which is the security personnel we have on site to protect an infrastructure. Infrastructure security however means much more than the security personnel we have.
Infrastructure security in the past was mainly applied by governmental institutions (agencies), high tech companies, bio labs, and in general anywhere human lives would be affected in great numbers, or for highly classified data. The GDPR law brings light to that area as well.
Let me define what infrastructure security is.
Infrastructure security has to do with all the design, measures and control you have or take at your physical location (meaning the location you hold your data). It can be from architectural design features like the materials used to build your walls, number of windows, bullet or blast proof windows, the positioning of windows, the positioning of vaults and control rooms, security personnel, cameras, shock sensors, alarms, drawers with lockers, saves etc. It includes a range of things. The aforementioned is just the tip of the iceberg.
But let me clarify something which is a very common mistake. If you have all those infrastructure security components which are appropriate for your case it does not mean that you are compliant or protected. I have to be very clear about this.
What makes you compliant to GDPR and protected?
Here is the thing. Based on my experience, these components are usually purchased randomly and placed either without a plan or based on a plan which was crafted by the company which sells them. Companies focus on sales and it is not required for companies that sell physical security components to be appropriately educated on how to secure an infrastructure. The result of this situation is that in 99% of cases it is like not having this infrastructure at all because its components were not placed properly. You also pay more for things which are in excess when you could use those resources to safeguard a more important point. Trust me, the people who are coming for your data, if you fall in the category of holding valuable data, can find an opening in the right security infrastructure, let alone the wrong one. It’s a piece of cake for them.
Want a little help?
A Real World Example
Let me give you an example to demonstrate that. I usually evaluate infrastructure security and one of those cases was an energy company. So, I found my way in as there was no indication of security in the areas that really mattered. I walked around the head offices with no one asking who I was or what I was doing in the restricted areas. The cherry on the cake? I walked into the server room where the door was wide open. I had access to literally everything! Then I went downstairs to the main area for the public, greeted the security guard and headed to the operators. That is when I was surprised. There were 12 perimetric cameras above 5 paying stations. OK, money is important, but 12 perimetric cameras above them when I could transfer all electronic payments from the server to any bank account I want? This is what I call a security waste!
Perimetric cameras are taking input from all around them just like light bulbs. Unless there is an obstacle they can cover a considerably big area in all directions around them. In a six square meter space 12 perimetric cameras placed in a corner from where controlling the angles of the remaining 100 square meters floorplan was obstructed was a waste and excess.
This is an example where you do not cover all the areas that need protection and you over-cover and waste resources in other areas. That is a sign of an inadequate plan for infrastructure security. Obviously, this example is not the everyday example for a small size company but based on your scale you can understand the situation.
How was this problem initiated?
- By selecting the wrong people to design your security infrastructure,
- Because of the lack of knowledge by the decision makers that there is a need for a plan developed by a professional who knows infrastructure security strategy, and most importantly,
- By not merging physical and information security (there are more than these two aspects, but let’s not over-complicate things for you here). Now this is a tricky one and this is how the most sophisticated attackers manage to get into high-end secured infrastructures.
I’d like to demonstrate what I mean with an example. People in my close environment always challenge me on how to penetrate a bank, airport, or win a lottery. There are people who asked me to delete their dept from a government database or a bank. It is hilarious what requests I get every day. But the point is that in one of those cases I was given a floor plan of a bank. The person who was showing it to me was so sure I cannot hack it and he was pointing out the shock sensors, the alarms and all the fancy components he put in place. In fact, the design was good, to be honest. But then I noticed a detail that would allow me to get everything without even going in. He could not believe it. Within 5 minutes of examining the environment I canceled out all the security measures they had. But I am not giving you this example to brag about my abilities. This is just to show you how even big corporations with solid security protecting their information and their infrastructure can still fail. And they fail because of one detail – they do not combine it in a correct way. They handle information and infrastructure security as two different components and this makes them weak and creates openings in their security levels.
One of the greatest mistake you can make for your security is addressing information and infrastructure security as two different things. This has been changing since 2012 and we have a more appropriate approach, which brings them together – holistic security. The security umbrella that almost eliminates gaps between them.
Summarizing this article, you need infrastructure security based on GDPR regulation. The amount and needs are customized and defined by your scale. You can determine your scale with a threat level evaluation. Remember to request holistic security, which will bring together both information and infrastructure security and implement it based on a plan created by someone with deep knowledge of the matter.
It could be that you just need a drawer with a locker, a safe or 50 security guards in combination with a vault & the complete set. In any case, the only person who can define this is a professional with the knowledge of data, infrastructure and behavior.
So I am now turning it over to you. If you found this information on GDPR useful please share it with others. I would also like to hear your thoughts:
- Have you evaluated your threat levels in order to define what infrastructure measures you need to take in preparation for GDPR?
- What other questions do you have regarding GDPR that I could answer for you?
I cannot wait to hear your comments so leave them below and let’s continue the conversation.
Apply what you learn immediately. Download the Free Quick start guide: GDPR basics
The $5 billion Facebook fine LESSON to all business about privacy violations (GDPR & US regulations)
The $5 billion Facebook fine LESSON to all business about privacy violations (GDPR & US regulations) Click below if you prefer to listen. Learn how to become unpredictable here... User privacy violations from Facebook lead to a record-breaking historic...
GDPR Interview - Part 7 Your ability to control your protection Click below if you prefer to listen. Free Quick start guide: GDPR basics GDPR basics Want a little help? Download “GDPR Basics” free quick start guide. Clarity is power! So, I am now turning it over to...
GDPR Interview - Part 6 - Social Media & selection of the right tools Click below if you prefer to listen. Free Quick start guide: GDPR basics GDPR basics Want a little help? Download “GDPR Basics” free quick start guide. Clarity is power!...
and get the latest updates