What does GDPR say about security?
It may seem obvious to consider information security alongside data privacy but what exactly does the new, forthcoming, General Data Protection Regulation (GDPR) stipulate?
Actually, the GDPR does not contain specific security requirements. Under Article 32, titled “Security”, just 135 words describe them:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
The word ‘appropriate’ is mentioned 3 times here. Whilst this gives a certain degree of flexibility in setting the organisation’s security controls, it also carries the risk that a regulator’s view could differ from yours when it comes to the security measures you’ve put in place.
This means you need to be ready to demonstrate and defend your approach and the operational effectiveness of the security controls in place.
Chris Zoladz*, Founder of information & privacy advisors, Navigate LLC, and former Chairman of the International Association of Privacy Professionals (IAPP) offers…
4 high-level tips to help you demonstrate and defend the organisation’s security efforts:
- Use a recognised security framework — If your organisation does not already use a security framework such as ISO 27001/2 to guide your security program, select a framework, or combination of known frameworks that will inform the components of the overall security program.
- Manage security risk — Not all security risk is equal and not all risk can or should be eliminated. It simply is not realistic, cost-effective or necessary. Thankfully, the GDPR recognises that reality. However, you still need to assess security risks and take reasonable steps to mitigate significant risks, implement compensating controls or justify why an unmitigated risk will be accepted. Every organisation should use a risk framework and have a process to evaluate and govern risk. If your organisation does not currently have a formal process to identify, document and manage security risks, leverage ISO 27001, NIST or another framework to make improvements. This does not mean that your organisation needs to implement every element in any particular framework, but instead it will serve as a starting point or reference to help ensure the necessary elements of risk management are addressed.
- Documentation is your friend — When there is an issue that results in an investigation or audit, the success of the organisation’s defence will be directly related to the strength of the “show and tell” that is presented to the regulator or auditor. Documentation is the “show” piece of the defence that can be used to demonstrate that security controls are in place (e.g., a list of all employees who complete the security training) and are operating effectively (e.g., the access control logs show that an unauthorised access attempts to a system with personal data were identified and investigated). Maintain a reasonable level of documentation to demonstrate and defend the security controls in place.
- Continuously “read and react” — Technology, business requirements and legal requirements will continuously change over time. As a result, new risks will emerge, and new or different security controls will be needed. This will be an endless cycle and requires that the organisation be continuously adapting and refining its security posture to be responsive to new risks. Security, like privacy, is an ongoing process, not a one-time project.
Keeping the GDPR security requirements simple
Standards like ISO 27001:2013 encourage continuous improvement. By external auditing, with independent certification, you will give your customers the confidence they need to see you are maintaining the ISMS and satisfying the requirement for regular reviews and ongoing management.
With customers also likely to hold different views about what security controls are appropriate, implementing one well recognised standard will help to avoid being pulled in different directions.
ISMS.online makes it simple to describe, demonstrate and defend your data privacy and information security practices and controls.
Use our pre-built GDPR and ISO 27001 frameworks, ISO 27001 policies and controls together with risk management tools and tools for managing other work processes required by the GDPR.