Your organization has established appropriate structures, policies, and processes to comprehensively understand, evaluate, and manage security risks associated with personal data.
Moreover, you have implemented data protection and information security policies and processes. If necessary, you maintain records of processing activities, and have designated a Data Protection Officer.
It is essential to take adequate measures to identify, assess, and comprehend security risks related to personal data and the various systems involved in processing this data.
The General Data Protection Regulation (GDPR) advocates for a risk-based approach to data protection as well as the security of processing systems and services. It requires you to assess these risks and implement appropriate organizational measures to facilitate effective risk-based decisions based on:
- the current state of technology
- cost implications for implementation
- the nature, scope, context, and intended purpose of processing
- the gravity and probability of risks being realized.
Furthermore, if the processing is likely to pose a high risk to individual rights and freedoms, you are required to perform a Data Protection Impact Assessment (DPIA) to analyze the potential impact of intended processing on personal data protection. The DPIA must evaluate the necessary technical and organizational measures needed to mitigate that risk. If such measures do not sufficiently reduce the risk to an acceptable level, you must establish a process for consulting with the Information Commissioner’s Office (ICO) prior to commencing processing.
It’s vital to comprehend and document the personal data you process and articulate the purpose behind such processing. You should also assess the risks posed to individuals due to any unauthorized or unlawful processing, accidental loss, destruction, or damage to that data.
The personal data you deal with must be adequate, relevant, and limited to what is necessary for the intended purpose. Additionally, it should not be retained longer than necessary.
A.4 Data Processors and the Supply Chain
You are responsible for understanding and managing security risks affecting your processing operations resulting from dependencies on third parties like data processors. This encompasses ensuring that these entities incorporate adequate security measures.
When engaging with data processors, you must select those that provide sufficient assurances regarding their technical and organizational measures. GDPR provisions specify stipulations that must be present in your contracts with processors.
B) Safeguarding Personal Data from Cyber Attacks
You should establish appropriate security measures to protect personal data from cyber attacks, including:
- the personal data you process and
- the systems handling such data
B.1 Service Protection Policies and Processes
It is crucial to define, implement, communicate, and enforce suitable policies and processes directing your overall strategy toward securing the systems involved in personal data processing.
Consider assessing your systems and implementing specific technical controls outlined in established frameworks (e.g., Cyber Essentials).
You must document and manage access to personal data and the systems involved in processing it. Access rights granted to individual users should be comprehensible, limited to those who require access to perform their roles, and revoked when no longer necessary. Regular checks should ensure that technical system permissions align with documented user access rights.
It is essential to authenticate and authorize users (or automated functions) accessing personal data correctly. Implement strong authentication methods for users with privileged access, and consider using two-factor or hardware authentication measures.
Users should not be enabled to download, transfer, alter, or delete personal data without legitimate organizational reasons. Ensure legitimate access is appropriately constrained and maintain an adequate audit trail.
A robust password policy is necessary to prevent the use of weak, easily guessable passwords. Change all default passwords and deactivate or suspend unused accounts.
Implement technical controls, such as encryption, to guard against unauthorized or unlawful processing of personal data, whether resulting from unauthorized access to devices, storage media, backups, interception of data in transit or at rest, or accessing data lingering in memory when technology is retired or disposed of.
Establish appropriate technical and organizational measures to secure systems, technologies, and digital services processing personal data from cyber attacks.
While GDPR necessitates a risk-based strategy, common examples of expected security measures might include:
- Tracking all assets processing personal data, including end-user devices and removable media.
- Reducing attack vectors by configuring technology correctly, minimizing available services, and controlling connectivity.
- Actively managing software vulnerabilities through the use of supported software and applying software update policies (patching) as well as taking other mitigating steps when patches cannot be applied.
- Managing end-user devices (laptops, smartphones, etc.) so that organizational controls oversee software or applications interacting with or accessing personal data.
- Encrypting personal data at rest on devices that lack strong physical security controls (like laptops, smartphones, and removable media).
- Encrypting personal data during electronic transmission.
- Ensuring web services are protected against common security vulnerabilities such as SQL injection and others outlined in widely-used resources like the OWASP Top 10.
- Maintaining the security of your processing environment throughout its entire lifecycle.
Regular testing is necessary to assess the effectiveness of your security measures, encompassing virus and malware scanning, vulnerability scanning, and as appropriate, penetration testing. Ensure the results of any testing and remediation action plans are recorded.
No matter what security measures are implemented, whether they are your own or provided by a third-party service (such as a cloud provider), you remain responsible for the processing itself and any devices you operate.
Offering staff adequate support to handle personal data securely is crucial, including the technology they utilize. This comprises relevant training and resources necessary for effectively managing their responsibilities while ensuring the security of personal data.
Staff must receive support to prevent accidental processing of personal data, such as sending it to incorrect recipients.
You need to be able to detect security events impacting systems processing personal data and monitor user authorization accessibility to that data.
It is important to monitor the statuses of systems that process personal data, as well as to track user access to that data, including unusual user activity.
Maintaining records of user access to personal data is essential. When unexpected events or signs of a personal data breach occur, you must have processes ready to address those events promptly.
You should be capable of:
- Minimizing the consequences of a personal data breach
- Restoring your systems and services
- Managing incidents appropriately
- Learning from experiences for future improvements
D.1 Response and Recovery Planning
Ensure that clearly defined and tested incident management processes are in place for responding to personal data breaches. Mitigation strategies should be established to contain or limit the range of personal data potentially compromised in the event of a breach.
If the availability of personal data loss could result in harm, appropriate recovery measures must be in place, including secure maintenance of necessary backups.
In the event of a personal data breach, you should follow these steps:
- Identify the root cause
- Report the breach to the Information Commissioner and, if necessary, to affected individuals
- When warranted, report to relevant bodies (such as other regulators, the NCSC, and/or law enforcement)
- Implement appropriate remediation actions.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/gdpr-security-outcomes
