The General Data Protection Regulation (GDPR) and organisational security
Implementation of the GDPR in the UK is now less than a year away and much is being written about this major step change in data protection regulation. The overall requirements, prospective fines for data breach and breach reporting obligations are all headline topics and deservedly so.
If your organisation processes personal data concerning EU citizens you should already be preparing for May 25th 2018 when the GDPR will come into force, although many surveys have shown that preparedness is not as high as it should be and companies in the UK are lagging behind their continental neighbours.
Whilst much emphasis has been placed on the essential early steps of analysing what data is held, where the data is held, why the data is held and how to securely manage that data, it is equally important to review the security measures that are in place. After all, the GDPR is centred on the consequences of data breach and breaches can be the result of a variety of security weaknesses.
Organisations must take all measures required by Article 32, which sets out the GDPR’s “security of processing” standards.
Under Article 32, controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” The GDPR provides specific guidelines for what kinds of security actions might be considered “appropriate to the risk,” including:
- The pseudonymisation and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Words and phrases such as “appropriate” and “state of the art” can be open to interpretation, however it’s clear that measures to provide strong IT, Data and Cyber security resilience are important for GDPR compliance.
A starting point is to conduct a security audit, this will identify existing and potential weaknesses that would make breaches more likely and highlight potential cybersecurity risks.
What are the critical issues that should be addressed?
- Network Security – comprehensive network and cybersecurity procedures, solutions and processes providing enhanced levels of security.
- Application Security – ensuring that all business applications that store, process and manage personal data are secure.
- Infrastructure Security – solutions to protect all IT infrastructure which should include device security, cloud data management, storage and archiving solutions.
- Encryption and pseudonymisation solutions.
- Backup and recovery solutions.
- IT Usage and Data Protection policies
- Staff training – ensuring that all staff are trained to understand and follow data management procedures and cybersecurity awareness training to help teams identify threats.
As the cybersecurity threat landscape continues to grow all of the above points are critical considerations to safeguard every organisation’s day to day operations and not just for GDPR compliance.
If you require any further information or wish to discuss how CF Systems can help with a security audit, please contact us on 01209 340030 or by email enquiries@cfsystems.biz