Personal digital security and passwords

The security of personal data is in the interest of both individuals and the organizations that process that data. In order to assess the risks generated by any processing, it is first necessary to identify the potential impact on the rights and freedoms of individuals. Although organizations must protect data (personal or not) for their own interests, the emphasis is on protecting the data of individuals.

Data security encompasses three main components: protecting the integrity, availability, and confidentiality of data. Organizations therefore need to assess the risks to:

• unauthorized or accidental access to data - breach of confidentiality (e.g. identity theft after disclosure of employee payslips)
• unauthorized or accidental modification of data – violation of integrity (e.g. falsely accusing a person of altering access records)
• loss of data or access to data – violation of availability (e.g. inability to detect drug interactions due to unavailability of the patient's electronic medical record).

It is also necessary to identify sources of risk (i.e. who or what could be the cause of a security incident), taking into account human internal and external sources (e.g. IT administrator, user, external attacker, competitor) and other internal or external sources (e.g. flood, hazardous substances, accidental computer virus).

The identification of risk sources enables the identification of threats (i.e. circumstances that can lead to a security incident) related to assets (e.g. hardware, software, communication channels, paper), which can be:

• used inappropriately (e.g. abuse of rights, handling error)
• modified (e.g., keylogger, malware installation)
• lost (e.g., theft of laptop, loss of USB memory)
• observed (e.g., looking at a screen on a train, device geolocation)
• damaged (e.g. vandalism, natural deterioration)
• overloaded (e.g., disk full, denial of service attack)
• unavailable (e.g., case of ransomware attack).

It is also recommended:

• determine existing or planned measures to manage each risk (e.g., access control, backups, monitoring, physical protection, encryption)
• assess the severity and likelihood of the risk, using a scale (negligible, moderate, significant, maximum)
• implement and monitor measures, if deemed appropriate
• conduct regular security audits, each of which should result in an action plan whose implementation must be monitored at the highest level of the organization.

The General Data Protection Regulation (GDPR) introduces the concept of a Data Protection Impact Assessment (DPIA), mandatory for any processing of personal data that is likely to result in a high risk to individuals. The DPIA must contain planned measures to manage the identified risks, including safeguards, security procedures and mechanisms to ensure the protection of personal data.