What is the appropriate security to meet GDPR?

GDPR or the General Data Protection Regulation is a set of rules that requires business organisations to protect personal and sensitive data. It also requires the maintenance of the privacy of EU citizens for transactions occurring across the EU states. The non-compliance or compromise of the information can be subject to fines, various refunds and legal suits. It mainly aims for a harmonised data flow among the EU states and the protection of the privacy rights of citizens. With the advent of GDPR measures like data mapping, data protection impact assessment, consent management, and data subject rights are constantly monitored by businesses.

Guidelines by various EU member state supervisory authorities-

  • According to the CNIL (France’s supervisory authority) the basic precautions for risk management include the following :
  1. Listing out methods used for processing of personal data, location of the data processing and storage, including the media used.
  2. Assessing the various risks that are generated by each data processing operation.
  3. Proper implementation and regular checking of the planned security measures.
  4. Carrying out periodical security audits wherein each has some specific action plan. It should be monitored by the highest authority in the concerned business organisation’s hierarchy.
  5. It also suggests filling of both security and privacy risk management reforms.
  • According to ICO ( UK’s supervisory authority) some “cyber essentials” as the baseline set of controls:
  1. It includes compulsory firewalls, secure device settings, access controls, anti-malware.
  2. The software updates need to be considered as the starting point of the various protective measures.
  3. It also recommends further bolstering of the security measures according to the businesses’ circumstances and risks.

The GDPR requirements for EU citizens

  • Firms are required to have explicit confirmation and consent from customers, regarding the usage of their collected data and a specified time limit for the usage of the same.
  • Any individual customer can request a copy of all data the company has about them.
  • They have the right to ask for an explanation regarding the collected data’s usage and knowledge about its access to any third party. 
  • Individuals can also request for their data profile to be passed from one data processor to another, leading to data portability. 
  • Individuals can also withdraw their consent and request access to their data, that no longer needs to be deleted. 
  • Compensation can also be claimed by individuals for any damage (that infringed GDPR) suffered by them.

The GDPR requirements for controllers and processors

  • They must consider appropriate security measures like encryption, ongoing confidentiality of data, and evaluation on the effectiveness of the measures in place. 
  • ‘Pseudonymization’ can be utilised for security purposes wherein the processing of customer data is done such that they can’t be identified anymore with it.
  • Data controllers are obliged to have accountability like maintaining the documentation, carrying out data protection impact assessment, etc.
  • They also need to ensure effective procedures are in place, to handle the threat using the risk-based approach. 
  • Controllers must be able to demonstrate their compliance with the GDPR to parties affected.

The GDPR requirements in case of potential breaches

  • Notifications of data breaches that will threaten the rights and freedom of individuals should be sent to the DPA within 72 hours.
  • In certain special cases, a notification is required to be personally sent to the concerned individuals.

In cases where there is a potential breach, the reporting must include

  • A description of the breach with the information of an approximate number of affected people along with the proper types and volume of data exposure from the records involved.
  • The information included should consist of the contact details of the organisation’s data protection officer, or contacts to get any further information.
  • An open and clear description of the potential consequences due to the information leakage in the breach should be made available to the consumers.
  • Information regarding the various measures the organisation is taking and taken to recover from the effects of the breach also should be accessible to the affected customers.

International data transfer rules according to GDPR as per the Data Protection Directive

  • Personal data can only be transferred outside the EU countries recipients that have ‘adequate protection’. 
  • The Commission has issued lists of non-adequate third countries. 
  • Personal data can be transferred to these countries based on the laid down data transfer agreements.

Other obligations regarding DPO under GDPR are:

  • Companies and public authorities that monitor data on a large scale and process sensitive data as a core activity, need to have a Data Protection Officer (DPO). 
  • Appointing a single DPO for a group of undertakings is also allowed.
  • A ‘one-stop-shop’ system for companies with establishments in the multiple EU Member States will be available. They can have one Data Protection Authority (DPA) leading and cooperating with the other DPAs.
  • An independent European Data Protection Board will issue any guidance for compliance with the GDPR and report it to the concerned Commission.
  • For businesses that already have data protection policies and procedures in place –  
    • These firms are supposed to review their existing policies and procedures to ensure systems are compliant with the GDPR requirements.
    • They should be able to handle client requests like data deletion and other demands.

Checklist for GDPR compliance

  • Conducting regular audits to determine the information processed by the organisation and employees or of the various third parties those have access to it.
  • Having a legal justification for the various data processing conducted by the organisation.
  • Having a privacy policy that discloses the legal justification for various data processing and accessibility activities.
  • Taking data protection into account from the beginning to the end, that is,  from the product development stage to each time the same data process occurs.
  • Encryption, pseudonymization, anonymization of data wherever possible or demanded.
  • Having a suitable internal security policy for the team.
  • Conducting awareness and regular checking of employee understanding regarding the data protection and knowledge about the specifical recovery steps during a potential breach.
  • Having a regular data protection impact assessment.
  • Having a dedicated process in place that notifies the respective authorities and customers in case of a breach.
  • Making sure that all the privacy rights of the customers are open to the request and is fulfilled by the company regularly according to the demand.
  • Having a data protection officer, if necessary, and designated employee group to check the compliance with GDPR guidelines across the organisation, at all times.

The guidelines of GDPR are some basic things any business company should comply with. But these simple precautions may not be sufficient in case of a funded and sophisticated cyber attack. Having a proper cybersecurity suite is a growth enabler so investment on the same is a must.

Download our eBook on What Good Security Looks Like

Matt is a global CISO with 20+ Years of Directing International Security Programmes for Multi-Billion Pound Organisations. With a passion for security and a cybersecurity evangelist.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.