The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European regulation designed to improve and unify how global organisations collect, handle, process and store personal data related to people in the EU. Among the GDPR requirements is the need for organisations to improve information security and governance.
So, what are appropriate, reasonable, organisational and technical measures?
The appropriate and reasonable measures come down to identifying the personal information risks your organisation is exposed to and managing these risks, and how you define, mitigate, and manage these risks.
The most widely accepted Information Security Management Standard (ISMS) found explicitly in ISO27001 and ISO27701 can support GDPR
- Article 5
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Article 32
The ability to ensure the confidentiality, integrity, availability (CIA) and resilience of processing systems and services. A process for regularly testing, assessing, and evaluating technical and organisational measures’ effectiveness to ensure data processing security.
- Article 33
Robust procedures to detect and investigate personal data breaches and report them within 72 hours to a relevant authority.
- Article 35
Conduct a Data Processing Impact Assessment (DPIA) of the impact of the envisaged processing operations on personal data protection. The DPIA shall address the risks, including safeguards, security measures and mechanisms to ensure personal data safety and demonstrate compliance.
The Challenges Of GDPR
Privacy by Design challenge
The GDPR and other privacy regulations require organisations to implement measures at all design phases for processing data.
GDPR requires the confidentiality, integrity and accountability (CIA) of data, i.e. data secured. Each data set requires identifying where the data is and stored and who has access to the data.
Implementing an ISMS or a PIMS to manage personal data, incident response procedures and data retention periods defined by the organisation.
Ongoing responsibility challenge
Organisations have often underestimated the effort required to implement the necessary measures to satisfy GDPR. GDPR is an ongoing initiative, and at all times, your organisation must be able to demonstrate compliance as your business evolves.
The Benefits Of GDPR
- Increase reliability and reputation
GDPR improves reputation with stakeholders and third parties.
- Customer and third party confidence
Stakeholders are confident the information and the systems protecting the privacy data adhere to industry best practice security controls.
- Increase in organisation resilience
Measures implemented can protect your organisation against cyber threats.
- Improve data management
Minimise the privacy data stored and refine data management processes.
What Needs To Be Assessed
Core focus areas for evaluation during the assessment:
Why Choose Us
SecuriCentrix’s security services are designed to provide the vital assistance needed to make tangible improvements to your organisation’s cyber security posture.
Expert security services and solutions tailored to your needs