CNIL (F): Gui­de to data secu­ri­ty under the GDPR

English 
English  Deutsch  Français 

Aut­ho­ri­ty

Indu­stry

Laws

Tags

Content 

The French data pro­tec­tion super­vi­so­ry aut­ho­ri­ty CNIL has updated a gui­de on data secu­ri­ty from 2010 and adapt­ed it to the DSGVO. The gui­de is up to date from 2010 Available in Eng­lish, the new ver­si­on for the time being only in French.

The data secu­ri­ty prin­ci­ple (Art. 32 GDPR) aims at an appro­pria­te manage­ment of data pro­tec­tion risks. For this risk manage­ment, the CNIL recom­mends a four-step approach:

  1. Acqui­si­ti­on of the data processing
  2. Risk assess­ment:
    • Deter­mi­na­ti­on of the poten­ti­al impact on affec­ted per­sons in three sce­na­ri­os: (i) unaut­ho­ri­zed access to per­so­nal data; (ii) unwan­ted modi­fi­ca­ti­on of per­so­nal data, (iii) loss of data. Examp­les of unde­si­red effects would include iden­ti­ty theft, unju­sti­fi­ed accu­sa­ti­ons as a result of inac­cu­ra­te data, over­loo­king side effects in a medi­cal tre­at­ment becau­se medi­cal data was lost).
    • Deter­mi­na­ti­on of the sources of risk, i.e., inter­nal as well as exter­nal and human as well as other hazards;
    • Deter­mi­na­ti­on of risk sce­na­ri­os, i.e., the cir­cum­stances that may lead to a risk occurring;
    • Deter­mi­na­ti­on of the exi­sting or pos­si­ble mea­su­res for secu­ri­ty, i.e. tech­ni­cal and orga­nizatio­nal secu­ri­ty measures;
    • Pro­ba­bi­li­ty assess­ment of the occur­rence of risk;
  3. Risk miti­ga­ti­on mea­su­res take and check
  4. Regu­lar Safe­ty checks

The second stage, risk assess­ment, can be pre­sen­ted as follows:

The gui­de then descri­bes tech­ni­cal and orga­nizatio­nal secu­ri­ty mea­su­res in accordance with the GDPR in 17 chapters:

  1. Sen­si­bi­li­ser les utilisateurs
  2. Authen­ti­fier les utilisateurs
  3. Gérer les habilitations
  4. Tra­cer les accès et gérer les incidents
  5. Sécu­ri­ser les postes de travail
  6. Sécu­ri­ser l’in­for­ma­tique mobile
  7. Pro­té­ger le réseau infor­ma­tique interne
  8. Sécu­ri­ser les serveurs
  9. Sécu­ri­ser les sites web
  10. Sau­vegar­der et pré­voir la con­ti­nui­té d’activité
  11. Archi­ver de maniè­re sécurisée
  12. Encad­rer la main­ten­an­ce et la des­truc­tion des données
  13. Gérer la sous-traitance
  14. Sécu­ri­ser les éch­an­ges avec d’aut­res organismes
  15. Pro­té­ger les locaux
  16. Encad­rer les déve­lo­p­pe­ments informatiques
  17. Chif­frer, garan­tir l’in­té­gri­té ou signer