Your organization has established robust structures, policies, and processes to recognize, evaluate, and effectively manage security risks associated with personal data.
You have detailed data protection and information security policies in place. When necessary, you maintain detailed records of processing activities and designate a Data Protection Officer.
You actively identify, assess, and comprehend security risks related to personal data and the systems responsible for processing it.
The GDPR highlights a risk-oriented approach to data protection and the security of processing systems and services. It is imperative to evaluate these risks and incorporate appropriate organizational measures to make informed risk-based decisions based on:
- current technological advancements
- implementation costs
- the nature, scope, context, and objectives of processing
- the severity and probability of potential risks materializing.
In cases where processing may result in a significant risk to individuals’ rights and freedoms, a Data Protection Impact Assessment (DPIA) is essential to evaluate the effect of intended processing on personal data protection. The DPIA should address necessary technical and organizational measures to mitigate risks. If such measures do not diminish the risk to an acceptable level, a protocol must be in place for consulting the ICO before proceeding with the processing activities.
You have a clear understanding of the personal data you manage and can articulate the reasons for processing it. Furthermore, you recognize the risks that unauthorized or unlawful processing, as well as accidental loss, destruction, or damage to that data, pose to individuals.
The personal data you manage should be sufficient, pertinent, and restricted to what is essential for the intended purpose, and it should not be retained longer than necessary.
A.4 Data Processors and Supply Chain
You are aware of and manage the security risks related to your processing operations that may arise from dependencies on third parties, including data processors. This encompasses assuring that these third parties employ suitable security measures.
When it comes to data processors, it is crucial to select those that provide adequate assurances regarding their technical and organizational measures. The GDPR outlines specific requirements that must be incorporated into your contracts when engaging processors.
B) Safeguarding Personal Data Against Cyber Attacks
You have established proportional security measures to protect against cyber attacks encompassing:
- the personal data you manage
- the systems that handle such data
B.1 Service Protection Policies and Processes
You should draft, implement, communicate, and enforce suitable policies and processes that govern your overall strategy for securing systems involved in personal data processing.
Assessing your systems and instituting specific technical controls in accordance with relevant frameworks (like Cyber Essentials) is also advisable.
You understand, document, and oversee access to personal data and the systems that process it. Access rights assigned to individuals must be justified, limited to those who require access for their functions, and revoked when no longer necessary. You should perform checks to validate that technical system permissions align with your documented access rights.
User authentication and authorization must be adequately managed, ensuring stringent authentication for individuals with privileged access, and considering two-factor or hardware authentication methods.
To prevent unauthorized actions, users should be restricted from downloading, transferring, modifying, or deleting personal data without a legitimate organizational reason. Proper controls should be implemented to guarantee authentic access while maintaining a comprehensive audit trail.
A rigorous password policy should be enforced to preclude the use of weak and easily guessable passwords. Default passwords need to be changed, and unused accounts should be disabled.
Technical controls like encryption should be put in place to thwart unauthorized or unlawful processing of personal data, whether through unauthorized access to devices or storage media, data interception during transit or at rest, or accessing data that may remain in memory when devices are sent for repair or disposal.
It is vital to implement appropriate technical and organizational measures to shield systems, technologies, and digital services that process personal data from the threat of cyber attacks.
Although the GDPR mandates a risk-based strategy, common examples of potential security measures include:
- Tracking and logging all assets processing personal data, such as end user devices and removable storage.
- Configuring technology to minimize attack surfaces, reducing available services, and controlling connectivity.
- Actively managing software vulnerabilities by utilizing supported software and adhering to software update policies (patching), including taking alternative mitigating measures when patches cannot be applied.
- Administering end user devices (like laptops and smartphones) to impose organizational controls over software or applications that interact with or access personal data.
- Encrypting personal data stored on devices (laptops, smartphones, removable media) lacking robust physical controls.
- Encrypting personal data during electronic transmission.
- Ensuring web services are safeguarded against common security vulnerabilities such as SQL injection and other threats cited in well-known publications like the OWASP Top 10.
- Maintaining security throughout the entire lifecycle of your processing environment.
Regular evaluations of your security measures are crucial, including virus and malware scans, vulnerability assessments, and penetration testing as warranted. Documenting the results and corrective action plans is essential.
Regardless of whether you engineer the security measures yourself or rely on a third-party provider such as a cloud service, you remain accountable for the processing and any devices you control.
Providing staff with adequate support is critical for managing personal data securely, including the technologies they utilize. This comprises training and awareness initiatives, along with the provision of essential tools for fulfilling their roles securely.
Employees should receive guidance to ensure they do not unintentionally mishandle personal data (for instance, sending it to the wrong recipient).
You are capable of detecting security incidents that impact systems processing personal data and can monitor authorized access to such data.
Monitoring the status of systems accessing personal data and evaluating user activities, including identifying anomalous behavior, is essential.
Recording user access to personal data is imperative. When unexpected events or indicators of a data breach occur, processes should be established to address those events promptly.
You can:
- mitigate the effects of a personal data breach
- restore systems and services
- manage incidents effectively
- glean insights for future improvements
D.1 Response and Recovery Planning
You have comprehensive, trialed incident management protocols in place for addressing personal data breaches. Containment measures are designed to limit the extent of personal data potentially compromised following a breach.
When the availability of personal data could pose risks, recovery measures should be implemented, which includes maintaining (and securely managing) suitable backups.
Upon encountering a personal data breach, you take action to:
- analyze the root cause
- report the breach to the Information Commissioner and, when necessary, inform affected individuals
- when suitable (or mandated), inform relevant bodies (such as other regulators, the NCSC, or law enforcement) and
- implement appropriate remedial measures.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/gdpr-security-outcomes
