To assist companies to comply with European data protection laws, in particular those implemented in France, the French Data Protection Agency (known as “CNIL”) recently issued a set of guidelines organized by topic which provide elementary precautions to be taken by data controllers in several subject areas, including what types of conduct are prohibited as well as the CNIL’s recommendations in these areas.
According to article 34 of the French Data Protection Act of January 6, 1978 (as later amended, the “Act”), data controllers must take all useful precautions, depending on the nature of the data and the risks involved in processing it, to preserve the security of the data and, in particular, to prevent its alteration and damage, or access by non-authorized third parties.
Failure to do so is punishable by five years’ imprisonment and a fine of €300,000.
This duty to ensure the security of data continues throughout all stages of data processing, i.e. from the data’s creation, to its use, back-up, filing and through to its eventual destruction.
In its recently issued guidelines, the CNIL particularly recommends that companies:
1. Manage/Restrict access to data:
- Give a user-ID to each data processor in order to authenticate such user by means of a password, smartcard, digital fingerprint…and make sure that in cases where a password is used, it is modified every 3 months. The CNIL also recommends that companies remind their employees never to give their passwords to anyone, never to use the same password for different accesses, and not to configure their software so that passwords are recorded;
- Implement a permission management system to determine which category of employees may have access to each database. The CNIL considers that that each user should only have access to the data s/he needs for carrying out his/her duties. In order to have an effective permission management system, it is, for instance, advised to delete users’ access permissions as soon they are no longer authorized to have such access or processing rights as well as when they are terminated.
2. Log/Register the actions made by users on the system during a defined period of time:
- According to Article 6 of the Act, processing may only be performed on personal data that meets the following conditions: the data shall be obtained and processed fairly and lawfully; it shall be obtained for specified, explicit and legitimate purposes; and it shall not subsequently be processed in a manner that is incompatible with those purposes.
- The CNIL recommends that any logs of user data should be stored for a maximum of 6 months.
- The data components to be stored are: the user number, the log-in date and time, and the log-out date and time.
3. Guarantee the integrity of the data:
- Article 6 of the Act provides that data shall be accurate, complete and, where necessary, kept up-to-date;
- The CNIL recommends implementing measures to avoid viruses and fraudulent intrusions of company computers, and to secure remote access via Internet. To this end, the following protective measures may be introduced: limiting the number of access log-in attempts, implementing firewalls and automatic lock sessions, and using up-to-date antivirus programs.
4. Implement processes enabling the deletion, archiving or anonymization of the data:
- Article 6 of the Act also provides that data shall be stored in a form that allows the identification of data subjects for a period no longer than is necessary for the purposes for which such data was obtained and processed
- Two types of anonymization exist, the first is irreversible, i.e., there is no ability to make the data identifiable to an individual again. The second is reversible and allows for the anonymized data to be reconverted into a format where the personal data is maintained. Regarding reversible anonymization, the CNIL specifies that the re-identification process must be very secure.
In order to guide companies to self-assess the level of security of their data processing, the CNIL has issued a questionnaire that focuses on the following points:
- Analysis of the risks;
- Authentication of the users;
- Permissions management;
- Work stations security;
- Mobile IT security;
- Back-ups;
- Maintenance security;
- Log files access security;
- Protection of the premises;
- Protection of the internal IT network;
- Servers and applications security;
- Managing subcontracting;
- Archiving; and
- Security of data exchanges with other companies.
To continue to strengthen companies’ security with regard to data processing, the CNIL has announced that a more elaborated document is being prepared.