Blog Post
BY Stephen Cavey | 24/11/2020
The GDPR has improved over the past couple of years in defining what constitutes general vs. sensitive personal data. If you need a refresher, check out our last blog post: The GDPR: What is Considered Sensitive Personal Data?
But what isn’t explicitly clear are the security requirements and strategies expected of organizations to be put into place in order to safeguard consumer data. In this post, we’ll explore exactly what the GDPR requires you to implement in terms of appropriate technical and organizational measures to ensure you process personal data securely.
Compliance with Article 32 requirements can be demonstrated by adherence to an approved code of conduct as specified in Article 40 or an approved certification as specified in Article 42. In layman’s terms, the GDPR provides a list of security codes of conduct recommendations for organizations to implement in order to achieve the required security certification. The general guidance includes:
This still leaves a lot of room for interpretation. Meaning, you have flexibility in how you achieve certification under the GDPR e.g. your preferred tools and methodologies based on your current security posture. One thing made abundantly clear is encryption should be used for all personal data. Luckily this is a relatively low-cost tool that is highly effective.
The most literal recommendation, ‘A’ calls for the encryption of personal data. You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption. When storing or transmitting personal data, an encryption tool that meets current standards should be used. A great online checklist by the ICO published the below checklist to help you get started.
In the event of a data breach or unlawful storage of personal data, as determined by the GDPR, organizations open themselves up to major fines. Article 32 states, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.” In short, failure to implement the correct security measures in order to protect consumer data will result in fines deemed appropriate by the GDPR council.
Without the right technology partner, organizations have little control or visibility into the data regulated by GDPR, making them vulnerable to significant penalties – with fines of up to 20 million euros, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
Ground Labs helps you eliminate the root cause of data breaches by identifying where your data resides enabling you to take the appropriate action to remediate, delete, quarantine or encrypt that data.
With Enterprise Recon by Ground Labs, GDPR compliance is easily achievable, as the award-winning solution can identify, monitor and remediate over 300 different types of data, including personal sensitive information. Organizations can also create an inventory of sensitive data, upholding the GDPR requirements for ongoing data surveillance by monitoring it around the clock via the Enterprise Recon dashboard.
Don’t leave sensitive personal information up to chance — book a demo with us today to get started on a clear path to GDPR compliance.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.