For some years now, armored doors are common in the access to houses. It can be said that it is a reasonable security measure, in terms of efficiency (security results obtained against cost). I do remember that for a long time these new doors coexisted with the old practice of leaving a copy of the keys in the gatehouse, perfectly signaling the house address, in an unlocked box and with the only protection of a conventional door. “Just in case it’s needed” was usually said.
Nowadays, there are many company’s doing the same with its clients’ information. They invest a fortune in protecting data at the production environment. But then, they just copy that exact data to nonproduction environments, to use them internally in software development and testing, to be given to a third party for statistical studies or to analyze them from the operational side and other similar uses for which real data is not compulsory needed. For this information protected under GDPR is more appropiate.
Knowing as we do that most of the security breaches are due to human factors and not because of technical factors. It seems downright reckless to take data out of well protected environments to make it available to unauthorized internal and external employees.
Giving an example, just a few days ago, the first sanction for breach of GDPR was announced. The German company Knuddles has been fined € 20.000 by LfDI Baden-Württemberg, the authority responsible for ensuring data protection in Baden-Wuttemberg, Germany. From the reading of the news and comments published, two things can be said:
- If a leak its known, the best option is to collaborate. At least if actioning agency is LfDI Baden-Württember This body has assessed as positives the actions taken by Knuddles and the transparency shown in the management of the incident. And for this they kept the fine relatively low.
- In general, experts demand additional measures for protecting real data. But they still obviate that it is common to find completely unprotected copies in nonproduction environments.
Here is where the GDPR comes into play, it recommends processing personal data with an anonymization or pseudonymization process before providing access to people who doesn’t really need that real information but who needs consistent data.