Data protection and cybersecurity in Portugal: challenges ahead through 2023

In late February 2023, IBM Security X-Force Threat, a team at IBM that deals with cyber threats, published its 2023 report which brings together global-scale information gathered in 2022. The Intelligence Index report tracks cyberattack patterns from billions of pieces of data, including computer networks, servers, personal computers, mobile phones, incident responses, vulnerability databases and ways to exploit vulnerabilities.

According to the report, the UK was the most affected country in Europe by cyberattacks in 2022, accounting for 43% of cases. It was followed on IBM’s list by Germany (14%), Portugal (9%), Italy (8%) and France (7%).

The increasing number of attacks and their impact in Portugal have been widely felt and reported by the media. Therefore, it was not surprising that the Portuguese Data Protection Authority (CNPD) approved Guideline/2023/1 on organisational and security measures applicable to the processing of personal data, in its 10 January 2023 meeting.

According to CNPD, the main vectors of attack in Portugal have been the exploitation of infrastructure vulnerabilities, the lack of training to detect phishing campaigns that allow the distribution of malware – with special relevance to ransomware attacks – and the lack of awareness of those responsible as to the risks to the data subjects’ rights that the lack of investment in security mechanisms entails. For CNPD, in most of the assessed attacks, the consequences could have been, if not avoided, at least substantially reduced.

CNPD as the national supervisory authority, in pursuit of the tasks set out in article 57(1)(d) of the GDPR, in conjunction with article 3 of Law 58/2019 of 8 August 2019 (Portuguese Data Protection Law), considered appropriate to make controllers and processors aware of their obligations concerning security of personal data.

In accordance with the requirements set out in article 32(1) and (2) of the GDPR, the controller shall be responsible for assessing and implementing the technical and organisational measures necessary to provide the processing of personal data with a level of security appropriate to the risk, including the ability to ensure the confidentiality, integrity, availability and resilience of the processing systems and services. Depending on what is appropriate to the characteristics and sensitivity of each processing of personal data processing carried out and the specific characteristics of the particular organisation, the following security measures should be considered:

Organisational:
    1. Defining and regularly exercising the incident response and disaster recovery plan, foreseeing the necessary mechanisms to guarantee the security of information and the resilience of the systems and services, as well as ensuring that the availability of data is reestablished in a timely manner after an incident.
    2. Classifying the information according to the level of confidentiality and sensitivity.
    3. Document security policies.
    4. Adopting analysis procedures for monitoring traffic flows on the network.
    5. Defining secure password management policies and imposing requirements for the size, composition, storage and the frequency with which a password needs to be changed.
    6. Creating a user lifecycle management policy to ensure that each employee has access only to the data required to perform his or her job and frequently review the permissions.
    7. Adopting alarm systems that allow the identification of situations of access, attempts or misuses.
    8. Defining, at an early stage, the best information security practices to be adopted, both at the software development stage and at the acceptance testing stage.
    9. Conducting IT security audits and systematic vulnerability assessments (pen testing).
    10. Checking if the defined security measures are in place and ensuring they are effective and updated, especially when processing or circumstances change, including those implemented by Processors.
    11. Documenting and correcting detected security vulnerabilities without delay.
    12. Taking the necessary measures to ensure full compliance with article 33 of the GDPR, in particular regarding the development of an internal policy to address and document possible data breaches.
    13. Encouraging a culture of privacy and information security among employees, so that each employee is able to recognise potential threats and act accordingly.
    14. Making all employees aware of the duty of confidentiality to which theyare subject.
    15. Periodically evaluating internal technical and organisational security measures, and updating and reviewing them whenever necessary.
Technical:
  1. Authentication – using strong passwords and multi-factor authentication systems.
  2. Infrastructure and systems – updating systems, maintaining updated firmware, designing and organising the systems and infrastructures to avoid malware dissemination.
  3. E-mail – defining internal procedures and policies concerning the use of e-mail.
  4. Protection against malware – using encryption tools, creating back-ups and using antimalware tooling.
  5. Equipment in external environments – using a VPN.
  6. Storage of physical documents containing personal data – keeping physical data in places duly protected from fire, humidity and with controlled temperatures and implementing access control measures.
  7. Transport of information containing personal data – encrypting CDs/DVDs and USB pens.

Controllers and processors are, according to Guideline/2023/1, encouraged to define and implement prevention plans in advance, so that they can protect their systems and infrastructure, and have mechanisms in place to detect a personal data breach and rapidly mitigate the adverse effects on the rights of data subjects. An incident response plan should include an assessment of the risk for these individuals, enabling the controller to conclude whether to notify the data breach to either the supervisory authority or the data subjects affected.

The information necessary to notify the supervisory authority may be provided in phases, but this does not exclude the obligation for the controller to act in a timely manner to respond to the personal data breach.

Therefore, under article 57(1)(d) of the GDPR, the CNPD recommends the controller, as well as the processor (with the necessary adaptations), adopts the security measures listed in the referred guidelines, depending on what is appropriate to the characteristics and level sensitivity of the personal data processing carried out and the specific features of its organisation, with a view to compliance with the obligations laid down in article 32(1) and (2) of the GDPR on the security of personal data processing.

2023 will definitely be a challenging year for all entities in Portugal, particularly after the Portuguese Authority issued Guideline/2023/1, emphasising the need to strengthen the organisational and technical measures and providing guidance concerning the most relevant and effective measures.