GDPR AND IT’S TECHNICAL REQUIREMENTS
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
A Closer Look at the GDPR’S Technical Requirements
The EU General Data Protection Regulation (GDPR) will soon be in effect, but many organizations are still working towards compliance. One part of the Regulation tripping people up is Security of processing. It describes the technical and organizational measures that organizations should have in place, but it’s densely written and uses unfamiliar terms:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
This blog focusing on the technical requirements and explaining exactly what it requires organizations to do.
Identify the data you process
Organisations need to know what data they are processing before they can assess the risk that it poses. The first step is to conduct a data flow map to identify:
- Data items (e.g. names, email addresses, records);
- Formats (e.g. hard copy forms, online data entry, database);
- Transfer methods (e.g. post, telephone, internal/external); and
- Locations (e.g. offices, Cloud, third parties).
This will help organizations understand the nature and scope of data processing as well as the state of the art (i.e. whether the organization is using the most up-to-date technologies and methods).
Perform a risk assessment
Organisations can’t prepare for every threat, so they should instead prioritize the biggest ones. That means conducting a risk assessment determining the probability and damage of each scenario.
You can identify risks by conducting vulnerability scans and penetration tests.
A vulnerability scan is an automated process that finds and alerts organisations about known weaknesses in their systems. There are two types of scan: external and internal. External scans look for ways in which malicious outsiders can exploit the organisation, and internal scans look for threats inside the organisation.
Penetration testing is a controlled form of hacking in which a professional penetration tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the organisation’s networks or applications. Tests can operate on the application or network level, and the scope can be adjusted based on departments, functions or certain assets.
Decide upon a risk treatment
There are four ways to treat risks:
- Avoid the risk by eliminating it entirely.
- Modify the risk by applying security controls.
- Share the risk with a third party (through insurance or by outsourcing it).
- Retain the risk (if the risk falls within established risk acceptance criteria).
The action you take will be at your discretion, but you need to be able to demonstrate that it was the most appropriate option. This means documenting your processes and being consistent with your choices.