GDPR is meant to be complied with by each data controller and data processor within the European Union (EU), as well as by entities that manage information regarding living EU residents or nationals. A data controller is any organization that defines the purposes and procedures for personal data processing, while a data processor is any company that handles personal data on behalf of the data controller.
The primary aim of the regulation is to protect individual data, which can be classified in two categories: ‘personal data’ and ‘sensitive personal data’. The first group includes emails, physical addresses, IP addresses or any other information that can help to identify a user, while the latter covers information related to health, biometric and genetics.
The main principles of GDPR are concerned with guaranteeing transparency in data processing, fairness in the matchup between data processing and its description and adequacy regarding the relevancy of the information and in ensuring that it is limited to what is necessary in relation to the purposes for which the data are being processed.
The organization is required to remain proactive, developing a plan to prevent and detect a data breach and to evaluate, on a periodic basis, the effectiveness of security practices, while keeping records on performance to establish a path to continual improvement.
The aim of GDPR is to cover all IT systems, including network, endpoints and mobile devices. However, it is a priority to define a catalogue of assets in which personal data are processed or stored.
It is important to identify what devices process or store sensitive data, including cloud services and devices under the Bring Your Own Device (BYOD) policy.
Article 30 from GDPR requires the institution to keep records of the maintenance of processing assets and activities under its responsibility.
The SOC provides a facility or service for managing information security events, through which companies can monitor all user and system activity to identify malicious or suspicious behaviour for all assets within its scope, centralizing all logs from applications, systems and network, and linking every alert to detect any undesirable activity in a proactive way.
The information gathered can be used to investigate the root cause of a security incident by determining the attack method through a forensic analysis procedure.
IT security assessments should be performed on a periodic basis to detect vulnerabilities that need to be resolved. Once a vulnerability has been detected, it is necessary to consider different issues as to how so many personal records were exposed, and whether the vulnerability has been exploited or whether there has been an attempt to exploit it.
Finally, the detected vulnerabilities require a planned solution that will resolve the vulnerability efficiently, while ensuring that records are kept on the solutions developed and deployed.
Article 35 of the GDPR requires the performance of a Data Protection Impact Assessment (DPIA) or similar procedures, while article 32 requires the organization to deploy the security measures that appropriate to protecting the personal data aligned with the detected risks.
Alignment with IT Security frameworks such as ISO/IEC 27001:2013, and even certification, can provide a wider view on risk assessment.
There are other IT security frameworks that could be helpful, such as NIST, PCI DSS, COBIT, among others.
Article 32 of the GDPR provides guidance on tests, assessment and the evaluation of the effectiveness of measures for ensuring the security of data processing.
Suggested procedures to measure the effectiveness of security controls include:
It is mandatory to plan detection and response to a potential data breach in order to minimize its impact, providing a quick and effective incident management procedure.
The incident response plan should include detection, analysis, contention and mitigation procedures. These steps, are to be established on a timeline and should be planned.
Those procedures should be tested and measured regularly, as part of a continuous improvement approach.
When a data breach succeeds, the organization needs to report to the regulatory body within the first 72 hours of becoming aware of the incident. However, high-risk incidents should be reported immediately, as article 31 of the GDPR article states.
This notification should include a description of the breach, the Data Protection Officer’s (DPO) contact details, the possible consequences of the breach and the measures deployed or planned to address the breach and mitigate its negative effects.
In relation to the previous step, the incident response plan needs to be tested and measured regularly, with the aim of achieving continuous improvement.
Are you ready for GDPR compliance? Tell us how you plan to achieve compliance and how you plan to address these and any other issue that may arise. Contact us if you need further help, we will be happy to hear from you and help you.