BY Stephen Cavey | 24 November 2020
The GDPR has improved over the past couple of years in defining what constitutes general vs. sensitive personal data. If you need a refresher, check out our last blog post: The GDPR: What is Considered Sensitive Personal Data?
What isn’t made explicitly clear are the GDPR security requirements and strategies expected of organizations to be put into place in order to safeguard consumer data. And now, more than ever, companies need to be on top of ever-changing compliance laws in order to safeguard the personally identifiable information (PII) of EU consumers and avoid hefty fines. In this post, we’ll explore exactly what the GDPR requires of your organization to implement in terms of appropriate technical and organizational measures to ensure you process personal data securely.
Understanding what is required of your organization to be GDPR compliant can feel overwhelming. Here is a quick breakdown of what to know in order to get started.
Compliance with Article 32 requirements can be demonstrated by adhering to an approved code of conduct as specified in Article 40 or with an approved certification as specified in Article 42. In layman’s terms, the GDPR provides a list of security codes of conduct recommendations for organizations to implement in order to achieve the required security certification. The general guidance includes:
This still leaves a lot of room for interpretation. Meaning, you have flexibility in how you achieve certification under the GDPR e.g. your preferred tools and methodologies based on your current security posture. One thing made abundantly clear is encryption should be used for all personal data. Luckily this is a relatively low-cost tool that is highly effective.
The most literal recommendation, ‘A’ calls for the encryption of personal data. You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption. When storing or transmitting personal data, an encryption tool that meets current standards should be used. A great online checklist by the ICO published the below checklist to help you get started.
If you don’t already have policies and procedures in place for safeguarding the data your organization collects, it’s time to do so. These policies should be developed with the GDPR requirements in mind, and lay out exactly what your organization needs to do to maintain the safety of PII as well as what to do in the case of a data breach. As the GDPR continues to change over time, you’ll want to review these policies and procedures and keep them as up to date as possible.
In the event of a data breach or unlawful storage of personal data, as determined by the GDPR, organizations open themselves up to major fines. According to Article 32, data controllers need to rapidly respond to the incident and report the breach within 72 hours of discovery and there should be policies and procedures in place to ensure this process is as efficient as possible.
Article 32 states, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.” In short, failure to implement the correct security measures in order to protect consumer data will result in fines deemed appropriate by the GDPR council.
This begins with controllers or processors performing a risk analysis to identify any potential risks. Any risk that is identified should then be managed appropriately whether it be through encryption or pseudonymization.
Without the right technology partner, organizations have little control or visibility into the data regulated by GDPR, making them vulnerable to significant penalties – with fines of up to 20 million euros, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. However, with the right data discovery tool, authorized users have full visibility into where all your PII resides across servers in your organization and can confidently ensure its protection.
Ground Labs helps you eliminate the root cause of data breaches by identifying where your data resides enabling you to take the appropriate action to remediate, delete, quarantine or encrypt that data.
With Enterprise Recon by Ground Labs, GDPR compliance is easily achievable, as the award-winning solution can identify, monitor and remediate over 300 different types of data, including personal sensitive information. Organizations can also create an inventory of sensitive data, upholding the GDPR requirements for ongoing data surveillance by monitoring it around the clock via the Enterprise Recon dashboard.
Don’t leave sensitive personal information up to chance — book a demo with us today to get started on a clear path to GDPR compliance.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.