Data Protection Controls… what is it?

Data protection is a set of strategies and is vital for any organisation that collects, handles, or stores personal data. A successful strategy can help prevent data loss, theft, or corruption and can help minimise damage caused in the event of a breach. Operational controls are procedures and rules implemented to protect systems, applications, and the organisation as a whole.

There is a list of policies and standard operating procedures (SOPs) that addresses the gaps across the information lifecycle.

Here is an example of documented gaps across business processes in an organisation, the red areas are the ones with gaps (across the information lifecycle) in that particular process, through our DPOinBOX platform which helps organisations create and manage a data privacy management programme.

A screenshot of the documented business processes in an organisation in the DPOinBOX platform

In the screenshot above, the green boxes reflect the compliant part of the business process to the data protection law. Whereas the grey reflects the not applicability of the data protection law to the area of a business process.

Types of Data Protection Controls

The types of controls are identified as:

1. Technical controls,
2. Administrative controls and
3. Physical controls - Operational and architectural

Technical controls

In the current digital environment that is constantly processing and storing large amounts of personal data, security is of utmost importance to an organisation. Typically, organisations fail to see a number of things that can compromise network security and open data up to risks. Controls are designed to guard information within an organisation against unauthorised access, modification, or disclosure. Technical security controls include both software and hardware solutions.

There is no mystery about the basic steps for technical security controls including everything from 2-factor authentication to firewalls, antivirus software, spam filters, keeping your software updated, changing your password regularly and other hardware-based solutions. In the event of a hacking attack, technical controls are considered the first line of defence. These technical controls should be defined as a strategy in policies like the organisation’s Data Protection Policy and Information Security Policy.

The screenshot above is an example of no security/encryption in a process related to consumer respondent profiling in the DPOinBOX platform.

Administrative controls

Administrative controls define the human factors of security. It involves all levels of personnel within an organisation and determines which users have access to what resources and information by such means. There are other critical controls that are needed to be implemented to ensure that your organisation is secure. For instance, administrative controls are typically used to reduce the risk of unauthorised access, modification, and destruction of personal data.

These administrative controls are used to mitigate the risk of unauthorised access to personal data. These controls are typically reflected in policies such as Data protection policies/Standard Operating Procedures (SOPs). An example of administrative control is a scheduled PDPA related training as part of the organisation's yearly training calendar.

The screenshot above is an example of no contract for a process related to customer service. (Outsourcing issue) in the DPOinBOX platform.

Physical controls - Operational and architectural

A company's information security policies and procedures can help prevent unauthorised access to data, minimise damage caused when that data is accessed, and demonstrate its commitment to privacy and data security.

In today's business environment, personal data needs to be protected through multiple levels of security. Security controls must be implemented from the physical architecture to the application layer, and from the perimeter to the inside of a company’s network. Hence, operational security controls are an essential part of any organisation's security architecture.

These are the things that employees are doing every day in the organisation’s day-to-day operations, or every time they do something that accesses a system, location or storage. The controls are there to ensure that your systems and networks and databases are secure in their operations. Examples of operational and architectural controls - Storing confidential documents in locked file cabinet systems.

The screenshot above is an example of deploying an operational/architectural control in access control in the DPOinBOX platform. One example of the process is consumer refund management.

Best practices/measures

There are three categories of controls: 

1. Preventative, 
2. Detective and
3. Corrective

Preventative controls 

Preventative controls are safeguards put in place to stop or eliminate a known threat before it can be exploited. They are the security controls that a business puts in place to ensure that the information it holds is protected from unauthorised access, destruction or disclosure, which requires security controls along with other measures to manage the processing of personal data.

Preventative controls help to ensure that the business is compliant with the strict security requirements of the data protection laws. Here’s an example of a preventive control - multiple authorisation levels to ensure that information cannot be tempered/modified without proper approval. I.e., maker-checker / access control into premise/system/to prevent unauthorised access.

Detective controls

The ability to detect unusual activity and data loss incidents have become critical to organisations. Detecting attacks and suspicious behaviour is difficult, but not impossible. Many organisations use an organised approach, combining tools and techniques to detect incidents. Let us take a look at an example of a detective control - a smoke/fire detector system in a building/alarm trigger mechanism when the door to the storage area is not shut properly.

Corrective controls

In the data protection context, one of the most common and critical controls is the data protection impact assessment (DPIA). The process of assessing the impact of new or revised policies, procedures, or practices on the organisation's data and IT systems is a fundamental part of the process of achieving data protection compliance. 

The data protection impact assessment (DPIA) is a tool that helps organisations identify, prioritise, and mitigate the risks of the organisation’s data and IT systems. The DPIA helps organisations to understand the threat to their data and IT system, and understand the impact that the new or revised policies, procedures, or practices will have.

Conclusion

Data protection initiatives in an organisation are not complete without controls. The gap assessment was described in related articles where it was highlighted how the assessment focusing on key risk areas and measures of the control in this segment will help to ensure that the appropriate measures will be designed and implemented for the Protect phase. The global challenge we face in today's era of rapid digitalisation is that organisations may be blindsided by the existence of digital risks. Managing controls/cost with company operations/bottom line will be a challenge for organisations.

As illustrated above, the DPOinBOX software has capabilities to aid organisations in identifying and implementing controls to manage their data protection management programme effectively and easily.

Article By: Benjamin Shepherdson, GDPR & InfoSec (Exin), GRCP, CIPM

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.