PDPC publishes new guidelines on data protection practices
The Personal Data Protection Commission (PDPC) recently published the following new guidelines:
- A new edition of the Guide to Data Protection Practices for ICT Systems (“To guide“), containing data protection practices from previous PDPC guidelines and advisory guides. The guide also includes lessons learned from past data breaches and recommends baseline and improved practices that organizations can incorporate into their policies, systems and information technology (ICT) process.
- Based on past data breach cases handled by the PDPC, the manual on how to guard against common types of data breaches (“Manual“) identifies the five most common gaps in the management of ICT systems and processes that can lead to data breaches. The manual provides examples and recommendations on good practices that organizations can adopt to address the gaps and guard against these common data breaches.
- Two checklists to guard against common types of data breaches (“Checklists“) to help organizations implement and review existing policies, technology controls and processes to avoid common mistakes that often lead to data breaches.
Companies should take steps to think about how to integrate the PDPC guide, manual and checklists into practice, for example, implementing an internal FAQ for employees and implementing internal policies for the application developers / engineers team.
All organizations are required under the Personal Data Protection Act 2012 to protect the personal data they own or have under their control.
To achieve this safeguard and ensure robust and resilient ICT systems, organizations must:
- Ensure that their ICT policies, systems and processes adopt the Guide as a minimum level of data protection.
- Avoid common gaps in the management of ICT systems identified in the manual and implement corresponding ICT good practices to prevent common data breaches.
- Review existing policies, technology controls, and processes against checklists, tailored to the organization’s activities and operations.
In more detail: the guide, manual and checklists
To allow easy reference by an organization’s ICT staff, as well as its suppliers, the latest Guide groups data protection practices for ICT systems into three main sections and recommends basic and enhanced ICT practices that organizations can put in place to support each stage of the data lifecycle:
- Risk management policies and practices, covering governance; collection of personal data; notification of purpose; manage consent; access; correctness and accuracy of personal data; maintenance of personal data; and retention of personal data
- ICT control measures, covering authentication, authorization and passwords; computer networks; database security; web applications and website security; and ICT security and testing
- Standard operating procedures and ICT operations, covering security awareness; personal computers and other computing devices; portable computing devices and removable storage media; compliance, monitoring, alerts, testing and audits; and cloud computing
The Guide also provides a checklist of best practices that organizations should include in developing their data breach management plan.
The manual identifies the following five most common gaps in the management and processes of ICT systems on the basis of case studies, with the corresponding good ICT prevention practices:
- Coding issues: Mistakes made during the programming phase of software development can lead to application errors resulting in the disclosure of personal data. These errors can be avoided by designing before coding and performing a thorough impact analysis; invest efforts to document all software, functional and technical specifications; and ensure that the application is thoroughly tested and perform code reviews.
- Configuration issues (including code management and deployment issues): many ICT system components (e.g. application / web server, database, operating system, firewall) have parameters and settings configurable. Insecure settings, including default settings, can lead to the unintentional disclosure of personal data. Vulnerabilities in configuration issues can be avoided by hardening the system configuration by making the appropriate changes to settings instead of relying on default settings to be sufficiently secure, by automating the build and deployment processes, and by systematically managing configuration parameters.
- Malware and Phishing: Email phishing attacks are often used against employees with unrestricted Internet access to trick them into revealing their login credentials or other sensitive information, or downloading attachments that contain malware. To counter these threats, organizations need to conduct regular phishing simulation exercises, educate employees to be aware of phishing and other forms of social engineering, consider restricting internet access, install security solutions, terminals and ensure that personal data is automatically and regularly backed up.
- Safety and liability issues: The design and development phases of the ICT system must take security into account, and then also within the framework of the maintenance of the system. To prevent systems from becoming more vulnerable over time, as well as the risk of a data breach in a test environment, organizations should create synthetic data (i.e. fake personal data or data anonymized from real data) for development and testing in non-production environments. ; protect personal data through access control; and clearly establish responsibility for ICT security to a designated person or team.
- Accounts and passwords: Accounts and passwords must be managed securely; Otherwise, weak passwords or accounts falling into the wrong hands will allow unauthorized access to ICT systems without requiring sophisticated attacks from the server side. Organizations should periodically review user accounts and remove unnecessary accounts, ensure passwords are not exposed in code or configuration files, minimize the risk of brute force attacks, adopt and implement implement a strong password policy and require complex passwords or multi-factor authentication for administrative tasks. accounts.
The checklists complement the manual and are intended to help organizations:
- Prevent coding issues by implementing best practices during the application development phase and support process, and thus avoid resulting application errors leading to the subsequent disclosure of personal data.
- Improve security awareness and responsibilities when coding.
Organizations that process personal data (e.g. names and email addresses) for generic communication purposes such as direct marketing or customer support should adopt Recommended Business Practices. When organizations hold large amounts of different types of personal data or data that could be of a more sensitive nature for individuals or organizations, the PDPC expects these organizations to implement the relevant improved practices suggested in each. section in addition.
Baker McKenzie Wong & Leow is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with common terminology used in professional service organizations, a reference to an âpartnerâ means a person who is a partner or the equivalent in such a law firm. Likewise, the reference to an “office” means an office of such a law firm. This may be termed a âlawyer advertisementâ requiring notice in some jurisdictions. Previous results do not guarantee a similar result.