GDPR Security Requirements: How Will they Impact Your Organization?

The GDPR has improved over the past couple of years in defining what constitutes general vs. sensitive personal data. If you need a refresher, check out our last blog post: The GDPR: What is Considered Sensitive Personal Data? 

But what isn’t explicitly clear are the security requirements and strategies expected of organizations to be put into place in order to safeguard consumer data. In this post, we’ll explore exactly what the GDPR requires you to implement in terms of appropriate technical and organizational measures to ensure you process personal data securely.

Look no Further than Articles 32, 40 and 42

Compliance with Article 32 requirements can be demonstrated by adherence to an approved code of conduct as specified in Article 40 or an approved certification as specified in Article 42. In layman’s terms, the GDPR provides a list of security codes of conduct recommendations for organizations to implement in order to achieve the required security certification. The general guidance includes: 

1. the pseudonymization and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

This still leaves a lot of room for interpretation. Meaning, you have flexibility in how you achieve certification under the GDPR e.g. your preferred tools and methodologies based on your current security posture. One thing made abundantly clear is encryption should be used for all personal data. Luckily this is a relatively low-cost tool that is highly effective. 

Encryption 101 for GDPR 

The most literal recommendation, ‘A’ calls for the encryption of personal data. You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption. When storing or transmitting personal data, an encryption tool that meets current standards should be used. A great online checklist by the ICO published the below checklist to help you get started. 

• We understand that encryption can be an appropriate technical measure to ensure that we process personal data securely.
• We have an appropriate policy in place governing our use of encryption.
• We ensure that we educate our staff on the use and importance of encryption.
• We have assessed the nature and scope of our processing activities and have implemented encryption solution(s) to protect the personal data we store and/or transmit.
•  We understand the residual risks that remain, even after we have implemented our encryption solution(s).
•  Our encryption solution(s) meet current standards such as FIPS 140-2 and FIPS 197.
•  We ensure that we keep our encryption solution(s) under review in the light of technological developments.
•  We have considered the types of processing we undertake, and whether encryption can be used in this processing.

Take Care to Avoid Fines

In the event of a data breach or unlawful storage of personal data, as determined by the GDPR, organizations open themselves up to major fines. Article 32 states, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.” In short, failure to implement the correct security measures in order to protect consumer data will result in fines deemed appropriate by the GDPR council. 

Without the right technology partner, organizations have little control or visibility into the data regulated by GDPR, making them vulnerable to significant penalties – with fines of up to 20 million euros, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. 

Don’t take on GDPR alone — Ground Labs is Here to Help

Ground Labs helps you eliminate the root cause of data breaches by identifying where your data resides enabling you to take the appropriate action to remediate, delete, quarantine or encrypt that data.

With Enterprise Recon by Ground Labs, GDPR compliance is easily achievable, as the award-winning solution can identify, monitor and remediate over 300 different types of data, including personal sensitive information. Organizations can also create an inventory of sensitive data, upholding the GDPR requirements for ongoing data surveillance by monitoring it around the clock via the Enterprise Recon dashboard.

Don’t leave sensitive personal information up to chance — book a demo with us today to get started on a clear path to GDPR compliance.