The latent danger of sharing our personal data without verifying its use.
by: Gigi Agassini, CPP*
If we stop for a moment to think about the amount of information we generate, manage, share, store and use, you will probably agree that it does not compare to what we destroy. With the advancement of technology we have increased the use of applications, electronic devices such as cell phones, tablets, speakers, digital assistants, and the list only grows and the news is that it will continue to increase.
We talked about it in the previous article, where I shared that there is a physical world and a digital one that interact with each other, making one, and although they converge, they take care of each other differently. Following this same principle, talking about information security or privacy in the digital world may sound a bit "abstract", because we prefer to give them up every time we want to buy something online, use a "free" or public wi-fi network, install an application of interest, some novel game that we find, among many actions that we do today in a "normal" way without stopping for a moment to think about the security of our data at the moment. to share them.
This leads us to be much more relaxed in management processes to ensure information and not put the appropriate controls according to its type; Let's start right there, it is true that the infinity of data and information is so much that we do not know where to start or, better yet, how to identify, sort and classify it.
Let us not lose sight of the fact that information is an asset, one of the most important, which can be tangible or intangible; The medium of transmission, the place of storage and access to it is equally important, so identification and classification is a good starting point.
ISO2700 in Information Security Management
To help with this task we have ISO 27001, this standard is the best known for information security management system, however, it is not the only one, additional best practices in data protection and cyber resilience are covered by several standards of the ISO 27000 family. In this way, organizations of all sectors and of any size will be able to manage the security of information assets such as financial, intellectual property, employee data, third-party information to name a few.
Performing a good management of information requires knowing perfectly what type of information we have and the person responsible for it, as well as its classification in the different formats and media in which it is available, such as electronic documents, databases, paper documents, emails, storage media or verbal information.
With the above we should be able to classify it, this will depend mainly on each company, and is what ISO 27001 tells us: "That the information should be classified according to the information security of the needs of the organization based on confidentiality, integrity and availability, as well as the requirements of the interested parties".
Let's talk about the typical classification system that typically includes four levels: confidential, restricted, internal, and public. It is important to emphasize that this depends, without a doubt, on the organization, its strategy and governance, as well as the risk appetite, vision, objective and mission. Let's not forget that the owner of the asset is responsible for classifying the information.
It is important to "tag" the information once it has been classified and assign the correct access to the authorized people, as well as the privileges of each one for the management of it. Making a safe handling and treatment of classified information is of paramount importance, since with this we can manage the risk of losing any of the attributes with which the information must comply: confidentiality, integrity and availability.
After this small analysis on how we could classify the information I am sure that you have more bases to look within your company or organization and ask some questions and the adjustments that the same ISO marks us as continuous improvement.
Probably some of you have already implemented ISO 27001 and others from the main family, others are probably implementing the standard and others are still thinking about whether or not to implement it. The important thing is that we are more aware of what type of information we are generating, sharing, using or storing and being able to manage the risks that are around it.
Personal data
But there are still "the other data", yes! Those that we all use, but that nobody has the precaution to take care of them and protect them properly, but ... what are those other data? Well, nothing more and nothing less than "personal data", these are information that relate to an identified or identifiable individual, but what exactly is that data? Well, it can be as simple as a name, a number, an address or it can include other identifiers, other factors, even your IP address is personal data. If it is possible to identify an individual directly from the information being processed, then that information may be personal information.
The first paragraph of Article Four of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) defines:
"<<personal data>> any information relating to an identified or identifiable natural person... directly or indirectly, in particular by means of an identifier such as name, location data..."
The protection of personal data and privacy requires by design an understanding and structure to be able to identify mainly the reason why we want that data and how we are going to treat it, etc. This leads us to identify the roles in relation to the processing of personal data and ensure regulatory compliance for the treatment of these.
It is important to know what is the legislation of our country / city that applies and of course also the turn of the business is not the same a dependency that treats medical data, than a supermarket or a bank, so it is important to identify all these variables.
All the time we are somehow providing our personal information, if we want to do a procedure in the physical world, we must fill out endless documents or formats, if we want to know the balance of our bank account at the window, we have to provide personal data and it is no different in the digital world, the point is that we are always sharing our data, The amount of these will depend on what we are doing but even to receive a report or sign up for a media, you must share your personal data and if you think about it, it is overwhelming the number of times we do it daily, but today it has become such a common activity, that we have normalized it.
Remember I mentioned that there were several roles when it comes to personal data protection? It is very important to understand what they are and their role in relation to the personal data being processed to ensure regulatory compliance.
Let's start with the "data subject" which is the person providing the data, there is also the controller and the processor. The most important thing here is to ask: who determines the purposes for which the data is processed and the means of processing?
Controllers are primarily responsible for making these decisions, exercise overall control over the purposes and means of processing personal data, and carry the greatest weight of regulatory compliance. If two or more controllers jointly determine the purposes and means of the processing of the same personal data then they are joint controllers. While the processors are the data processors and act on behalf of and only following the instructions of the respective controller.
As you can see, your personal data has a whole implication behind, so it is extremely important that we are aware at the moment before just doing a "check" in the privacy policy, because that is where they inform us what data are the ones that will stay, how they will process and handle them and if they will be shared with third parties, to mention a few points; Each user has the responsibility to read it to make sure that there is no violation of our privacy and if, I imagine what you are thinking, you will surely say that "you have nothing to hide", then I only invite you to reflect on the following: What would you do if you wake up with your email or photographs on the network? Or what if you are one of the victims of identity theft and you are left with unpayable millionaire debts and that stains your credit history?
Of course there is much more behind the treatment of personal data and the handling of these, it is important to at least understand the basics and be able to identify them to develop awareness in it, the only ones responsible for taking care of our personal data, we are ourselves.
Don't forget that the right to privacy is a human right.
Until next time!
* Gigi Agassini, CPP
International Security Consultant
GA Advisory
[email protected]
