The GDPR has improved over the past couple of years in defining what constitutes general vs. sensitive personal data. If you need a refresher, check out our last blog post: The GDPR: What is Considered Sensitive Personal Data?
What isn’t made explicitly clear are the GDPR security requirements and strategies expected of organizations to be put into place in order to safeguard consumer data. And now, more than ever, companies need to be on top of ever-changing compliance laws in order to safeguard the personally identifiable information (PII) of EU consumers and avoid hefty fines. In this post, we’ll explore exactly what the GDPR requires of your organization to implement in terms of appropriate technical and organizational measures to ensure you process personal data securely.
GDPR Security Requirements - A breakdown
Understanding what is required of your organization to be GDPR compliant can feel overwhelming. Here is a quick breakdown of what to know in order to get started.
Look no further than Articles 32, 40 and 42
Compliance with Article 32 requirements can be demonstrated by adhering to an approved code of conduct as specified in Article 40 or with an approved certification as specified in Article 42. In layman’s terms, the GDPR provides a list of security codes of conduct recommendations for organizations to implement in order to achieve the required security certification. The general guidance includes:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
This still leaves a lot of room for interpretation. Meaning, you have flexibility in how you achieve certification under the GDPR e.g. your preferred tools and methodologies based on your current security posture. One thing made abundantly clear is encryption should be used for all personal data. Luckily this is a relatively low-cost tool that is highly effective.
GDPR Encryption 101
The most literal recommendation, ‘A’ calls for the encryption of personal data. You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption. When storing or transmitting personal data, an encryption tool that meets current standards should be used. A great online checklist by the ICO published the below checklist to help you get started.
- We understand that encryption can be an appropriate technical measure to ensure that we process personal data securely.
- We have an appropriate policy in place governing our use of encryption.
- We ensure that we educate our staff on the use and importance of encryption.
- We have assessed the nature and scope of our processing activities and have implemented encryption solution(s) to protect the personal data we store and/or transmit.
- We understand the residual risks that remain, even after we have implemented our encryption solution(s).
- Our encryption solution(s) meet current standards such as FIPS 140-2 and FIPS 197.
- We ensure that we keep our encryption solution(s) under review in the light of technological developments.
- We have considered the types of processing we undertake, and whether encryption can be used in this processing.
GDPR security requirement checklist
Develop Policies and Procedures for Safeguarding Data
If you don’t already have policies and procedures in place for safeguarding the data your organization collects, it’s time to do so. These policies should be developed with the GDPR requirements in mind, and lay out exactly what your organization needs to do to maintain the safety of PII as well as what to do in the case of a data breach. As the GDPR continues to change over time, you’ll want to review these policies and procedures and keep them as up to date as possible.
Know what to do in the case of a Data Breach
In the event of a data breach or unlawful storage of personal data, as determined by the GDPR, organizations open themselves up to major fines. According to Article 32, data controllers need to rapidly respond to the incident and report the breach within 72 hours of discovery and there should be policies and procedures in place to ensure this process is as efficient as possible.
Have the right security measures in place
Article 32 states, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.” In short, failure to implement the correct security measures in order to protect consumer data will result in fines deemed appropriate by the GDPR council.
This begins with controllers or processors performing a risk analysis to identify any potential risks. Any risk that is identified should then be managed appropriately whether it be through encryption or pseudonymization.
Implement the right Data Discovery tool
Without the right technology partner, organizations have little control or visibility into the data regulated by GDPR, making them vulnerable to significant penalties – with fines of up to 20 million euros, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. However, with the right data discovery tool, authorized users have full visibility into where all your PII resides across servers in your organization and can confidently ensure its protection.
Don’t take on GDPR alone -- Ground Labs is Here to Help
Ground Labs helps you eliminate the root cause of data breaches by identifying where your data resides enabling you to take the appropriate action to remediate, delete, quarantine or encrypt that data.
With Enterprise Recon by Ground Labs, GDPR compliance is easily achievable, as the award-winning solution can identify, monitor and remediate over 300 different types of data, including personal sensitive information. Organizations can also create an inventory of sensitive data, upholding the GDPR requirements for ongoing data surveillance by monitoring it around the clock via the Enterprise Recon dashboard.
Don’t leave sensitive personal information up to chance — book a demo with us today to get started on a clear path to GDPR compliance.
