Update of the CNIL Guide to Personal Data Security – What you need to know 2/2 – 5 new sheets on the Cloud, mobile apps, AI, and APIs

 

Lerins offers you a summary of the do’s and don’ts:

 

1. CLOUD – Sheet 22

To Do:

  • Establish a precise mapping of data and processes conducted in the cloud, alongside an inventory of employed cloud services.

To Avoid:

  • Massively transferring data to the cloud without pre-sorting sensitive information.
  • Neglecting one’s part of data security responsibility, assuming the cloud provider is solely accountable.
  • Performing backups in the same datacenter where the original data is stored.
  • Allowing unrestricted access to cloud providers to your data.

 

2. MOBILE APPS – Sheet 23

To Do: 

  • Utilize dedicated APIs to encapsulate cryptographic secrets directly in the phone’s hardware, like Hardware Keystore for Android or Secure Enclave for Apple.

To Avoid: 

  • Failing to define and formalize precisely the security objectives and technical measures to adopt when contracting with a developer.
  • Allowing subcontractors to add third-party code elements to your application without ensuring they adhere to the strictest security standards.

 

3. ARTIFICIAL INTELLIGENCE – Sheet 24

Do:

  • Develop a comprehensive file for developers and users, detailing the design, operation, and necessary equipment to exploit AI.
  • Establish a mandatory process for the development and incorporation of content into AI systems to ensure the quality and relevance of the information processed.
  • Plan and conduct regular audits covering software, hardware, and organizational aspects, including human monitoring of AI processes to maintain system integrity and safety.

Don’t:

  • Train AI models on unreliable or unverified data
  • Forget to verify output data to ensure absence of personal data or errors
  • Operate AI without a thorough knowledge of their capabilities, limits, or without assessing the potential implications of errors or biases.

 

4. APIs – Sheet 25

Do: 

  • Clarify the roles and responsibilities of each actor involved in the use of APIs to properly define access rights to APIs and data.
  • Implement a tracking system for exchanges conducted via APIs. Use tracing tools to identify and act quickly in case of inappropriate use.
  • Keep detailed documentation up to date, including the format of requests and the structure of exchanged data.

Don’ts:

  • Retaining old versions of your APIs that may contain uncorrected vulnerabilities.
  • Overlooking the security of access keys to APIs.

 

By adopting these practices and avoiding these pitfalls, you will optimize your data security. Protect your data, safeguard operations continuity.

Need more advice? Contact our IT Partner, Mathilde Croze