1. RISK ANALYSIS AND SECURITY MEASURES

1.1 RISK ANALYSIS

The approval of the GDPR represents a paradigm shift in the way any company internally manages data protection. In the previous regulatory model, derived from Directive 95/46/EC, LOPD 15/1999, and its regulations (RDLOPD), security measures were established based on the level of security of personal data processed by data controllers and processors.

In the GDPR-derived model, companies must conduct a detailed analysis of the risks associated with these processes and manage these risks by establishing security measures deemed necessary and reasonable for the treatment of such risks. ETTS has successfully implemented this.

Moreover, risk analysis helps determine whether it is advisable, necessary, or mandatory to appoint a Data Protection Officer (DPO) within the company and whether it is necessary to conduct a Data Protection Impact Assessment (DPIA) for certain processes posing a high risk to individuals’ rights and freedoms.

The data protection risk management process is structured into the following phases:

• Risk Identification
• Risk Assessment
• Risk Treatment

Once a risk is identified and assessed, four possibilities for its treatment are considered:

• Acceptance
• Transfer
• Mitigation
• Avoidance

The objective of risk treatment is to bring it to an acceptable level for the Data Controller or Processor.

If a risk is not critical enough for the Data Controller, a control measure may be to accept the risk, meaning being aware of its existence and monitoring it. Conversely, if the risk poses a significant threat to information security, the decision may be to transfer, mitigate, or avoid that risk.

Risk transfer involves making a third party responsible for managing the possibility of a negative impact (realization of the risk). Generally, risks are transferred through insurance, guarantees, and/or contracts. Mitigating a risk involves reducing the likelihood of its occurrence and/or mitigating its consequences.

Finally, avoiding a risk means eliminating the threat causing it. This can be achieved by better protecting the main objectives of personal data processing from potential negative impacts or by modifying the temporal planning or scope of data processing to prevent the risk.

This risk management must balance the costs of controlling activities, the importance of data processing for the Controller or Processor’s processes, and the level of criticality of the risk.

1.1.1 RISK MANAGEMENT AND DETERMINATION OF SECURITY MEASURES APPLICATION

Article 32 of the GDPR provides that, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the variable risks of probability and severity to the rights and freedoms of individuals, the Data Controller and Processor shall apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk. With this in mind, ETTS has adopted:

1. Pseudonymization and encryption of personal data.
2. Measures ensuring permanent confidentiality, integrity, availability, and resilience of processing systems and services.
3. The ability to restore the availability and access to personal data quickly in case of a physical or technical incident.
4. Implementation of processes for regular verification, evaluation, and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.
5. Periodic risk assessment/analysis in processing.

For this purpose, the following classification is identified:

1. Preventive Controls: actions or measures aimed at preventing and/or avoiding errors, omissions, and irregularities in the user’s interaction with the information system and paper documentation. They become the implementation of measures that allow for action prior to the materialization of the risk.
2. Detective Controls: detect vulnerabilities in the system and measures applied after their occurrence.
3. Corrective Controls: aimed at mitigating the consequences of the risk causes in any of the processing areas where they have occurred.

Depending on the treatment and its associated risks, specific security measures will be applied to accept, mitigate, transfer, or eliminate the risk.

The following basic measures have been proposed to address risks:

1.2 PREVENTIVE CONTROLS

SECURITY REGULATIONS FOR PERSONNEL:

• Establishment of an internal security policy, known by internal and/or external staff, allowing the knowledge and application of security measures and procedures.

ACCESS CONTROL

• Personnel only have access to the resources and information necessary for the performance of their duties.

IDENTIFICATION AND AUTHENTICATION SYSTEMS

• Use of a username and password for access to information systems.
• Individualized and confidential access codes.
• Access to applications according to the authorized user profile.
• Periodic modification of access codes, at least once a year.
• Unintelligible storage of passwords.

MEDIA AND DOCUMENT MANAGEMENT

• Means for identifying the type of data contained in storage media.
• Labeling system.
• Inventory of media: additions and removals of media.
• Prior authorization for the removal of media and documents from the Data Controller’s premises.
• Discarded or reused media: Destruction system preventing any attempt at subsequent recovery.
• The transfer of media requires the adoption of measures preventing theft, loss, or unauthorized access.
• Labeling identifying the date of creation, destination, and type of data contained, understandable to authorized personnel.
• Distribution of media will be done by encrypting such data or using another mechanism ensuring that the information is not accessible or manipulated during transport.

BACKUP COPIES AND DATA RECOVERY

• Backup and recovery process allowing the retrieval and reconstruction of data in case of a computer system failure.
• Designation of a person or external entity responsible.
• Minimum weekly implementation.
• For the correct configuration of the backup procedure, real data is not used. If necessary, a copy of the data will be made in advance, and necessary measures will be taken not to affect the confidentiality, integrity, and security of personal data.
• A backup copy is kept in a different location from where the computer equipment processing them is located, using elements that guarantee the integrity and recovery of information, allowing its retrieval.
• In the case of special categories of data, a backup copy is maintained outside the company’s premises.

DATA PROTECTION COORDINATION

A Data Protection Coordinator has been appointed, responsible for overseeing and controlling compliance with data protection regulations.

TELECOMMUNICATIONS

Data transmitted through public or wireless electronic communications networks, especially those of special categories of data, are encrypted to ensure that the information is intelligible and not manipulated by third parties during transmission.

DATA RETENTION

Data retention periods are established based on the category of data and its purposes. Mechanisms are also established for the deletion of data once the retention period has expired, for both electronic and paper support.

DESTRUCTION OR ERASURE AND ADOPTION OF MEASURES TO PREVENT ACCESS TO INFORMATION

Data is securely destroyed or erased, particularly when discarding equipment or media (HDD, USB devices, CDs, etc.). Before recycling or eliminating them, they are formatted, deleted, and securely destroyed, making data recovery impossible.

1.3 DETECTIVE CONTROLS

IDENTIFICATION AND AUTHENTICATION

A mechanism has been established that limits the possibility of repeatedly attempting unauthorized access to the information system.

BACKUP COPIES AND DATA RECOVERY

ETTS verifies every 6 months the proper execution, functioning, and recovery of backups.

AUDIT

Periodically, information systems and data processing and storage facilities undergo internal or external audits to verify compliance with regulations.

• Extraordinary audit: In case of substantial changes to the information system and in addition to Impact Assessments.
• The audit report addresses:
  1. Adequacy of measures and controls to the GDPR and national regulations.
  2. Identification of deficiencies and proposing corrective or complementary measures.
  3. Including data, facts, and observations on which the reached opinions are based.
  4. Proposed recommendations.

• Elevation of conclusions to ETTS for the adoption of the necessary measures for the implementation of improvements.

INCIDENT LOG

• Implemented a procedure for the notification and management of incidents affecting personal data.
• The content of the log includes:
  1. Type of incident.
  2. Moment it occurred or was detected.
  3. Person making the notification.
  4. Recipient of the communication.
  5. Effects resulting from the incident.
  6. Corrective measures applied. 

ACCESS LOG

• For each access to especially protected personal data in electronic media, the following is recorded:
  1. User identification.
  2. Date and time of access.
  3. Accessed data.
  4. Type of access.
  5. Whether it was authorized or denied. If authorized, information allowing the identification of the accessed record is stored.

• Deactivation of installed access logs is not allowed. The data contained in the log will be retained for a minimum of 2 years.
• The log is controlled by the Data Controller, their IT Manager, Data Protection Coordinator, or, if applicable, the Data Protection Officer.
• The logs and the contained information are periodically reviewed, producing the corresponding report of the reviews conducted and the issues detected.

1.4 CORRECTIVE CONTROLS

BACKUP COPIES AND DATA RECOVERY

• Procedures for data recovery guaranteeing its reconstruction in the state it was in at the time of loss or destruction.

INCIDENT LOG

• Procedures for data recovery are included in the Incident Log, indicating:
  1. Person who executed the process.
  2. Restored data.
  3. If necessary, which data needed to be manually recorded in the recovery process.

• Authorization from ETTS is required for the execution of data recovery procedures.