CyberAdviser News Portal

GDPR security outcomes

admin011 mins

Your organization has established effective structures, policies, and processes designed to understand, assess, and systematically manage security risks associated with personal data.

You maintain thorough data protection and information security policies and procedures. If necessary, you retain records of processing activities and have appointed a Data Protection Officer.

Efforts are made to identify, assess, and comprehend security risks to personal data and the systems involved in processing that data.

GDPR promotes a risk-based approach to data protection and the security of processing systems and services. It requires you to evaluate these risks and adopt appropriate organizational measures to make informed, risk-based decisions based on:

  • the current state of technology
  • implementation costs
  • the nature, scope, context, and purpose of the processing
  • the severity and likelihood of potential risks materializing.

Furthermore, when processing poses a high risk to individuals’ rights and freedoms, you must conduct a Data Protection Impact Assessment (DPIA) to evaluate the processing’s impact on personal data protection. The DPIA should take into account the technical and organizational measures needed to reduce that risk. If such measures do not mitigate the risk to an acceptable level, you must consult with the ICO prior to initiating the processing.

You have a clear understanding and cataloging of the personal data you process and can articulate its processing purpose. Awareness of any risks posed to individuals from unauthorized or unlawful processing, as well as accidental loss, destruction, or damage to that data, is also essential.

The personal data processed must be adequate, relevant, and limited to what is necessary for its intended purpose, and it should not be retained longer than necessary.

A.4 Data Processors and the Supply Chain

You recognize and manage security risks to your processing operations that may arise from dependencies on third parties such as data processors, ensuring that they have appropriate security measures in place.

When selecting data processors, you must choose those that offer sufficient assurances regarding their technical and organizational measures. GDPR provisions include specific clauses that must be included in your contracts with these processors.

B) Protecting Personal Data Against Cyber Attacks

You have implemented proportionate security measures to safeguard against cyber attacks that encompass:

  • the personal data you process
  • the systems that handle that data

B.1 Service Protection Policies and Processes

You should define, implement, communicate, and enforce policies and procedures that govern your overall strategy for securing systems involved in the processing of personal data.

Consider evaluating your systems and applying specific technical controls in accordance with recognized frameworks (like Cyber Essentials).

You should understand, document, and manage access to personal data and systems that process such data. Access rights granted to users must be limited to those who require them to perform their functions and should be revoked when no longer necessary. Validating that technical permissions are consistent with documented user access rights is essential.

User authentication and authorization should be robust, especially for users with privileged access. Two-factor or hardware authentication measures should be considered for heightened security.

Users should be restricted from downloading, transferring, altering, or deleting personal data without legitimate organizational reason, and access should be constrained to ensure a comprehensive audit trail.

Empower users with a strong password policy to prevent the use of weak, easily guessable passwords. Default passwords should be changed, and unused accounts should be removed or suspended.

Implement technical controls (such as effective encryption) to guard against unauthorized or unlawful processing of personal data from potential threats, including unauthorized access to devices or storage media, backups, interception during transmission, or accessing residual data on devices sent for repair or disposal.

Establish appropriate technical and organizational measures to protect systems, technologies, and digital services that process personal data from cyber threats.

While GDPR supports a risk-based approach, examples of expected security measures include:

  • Tracking and documenting all assets processing personal data, including end user devices and removable media.
  • Reducing attack opportunities through proper technology configuration, limiting available services, and controlling connectivity.
  • Proactively managing software vulnerabilities by utilizing supported software and following patching policies while taking mitigating steps when patches cannot be applied.
  • Managing end user devices to enforce organizational controls over software or applications that interact with or access personal data.
  • Encrypting personal data at rest on devices lacking strong physical security controls.
  • Encrypting personal data during electronic transmission.
  • Safeguarding web services against common security vulnerabilities, including SQL injection, as outlined in reputable publications like the OWASP Top 10.
  • Maintaining security throughout the entire lifecycle of your processing environment.

Regular assessments are conducted to measure the effectiveness of your security measures, encompassing virus and malware scanning, vulnerability assessments, and penetration testing as necessary. Recorded testing outcomes and remediation action plans are maintained.

Regardless of whether you utilize internal measures or third-party services like cloud providers, you retain responsibility for the processing itself and the devices you manage.

Provide staff with the necessary assistance to manage personal data securely, including relevant training and access to tools that support the secure handling of personal data.

Support should be available to staff to prevent inadvertent processing of personal data (e.g., sending it to the wrong recipient).

Implement detection mechanisms for security events that impact systems handling personal data and actively monitor authorized user access.

Your monitoring should extend to the status of systems processing personal data and user access, identifying any unusual user activity.

Document user access to personal data. In cases of unexpected events or signs of a personal data breach, procedures should be in place to respond appropriately and promptly.

Your capabilities should include:

  • minimizing the repercussions of a personal data breach
  • restoring your systems and services
  • managing incidents effectively
  • gleaning insights for future improvement

D.1 Response and Recovery Planning

Establish well-defined and tested incident management processes for dealing with personal data breaches. Mitigation measures should be in place to limit the scope of personal data that could potentially be compromised following such breaches.

In situations where the unavailability of personal data may cause harm, recovery measures should be implemented, including maintaining secure backups.

Upon occurrence of a personal data breach, you should take steps to:

  • determine the root cause
  • report the breach to the Information Commissioner and, where necessary, inform affected individuals
  • notify other relevant bodies (such as other regulators, the NCSC, and/or law enforcement) when appropriate or required
  • implement necessary remedial actions.

GDPR Compliance

Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/gdpr-security-outcomes

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

Back To Top