Although the European Union General Data Protection Regulation (GDPR) extends beyond traditional data security, it is the security aspect that causes organizations the biggest headaches, given the rapidly increasing number of data breaches. Below are relevant excerpts from the GDPR text that all information security professionals whose organizations are subject to GDPR should be familiar with.
Article 25 “Data protection by design and by default”:1
- Taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of processing; organizations shall implement the appropriate technical and organization measures appropriate to the risk, including implement[ing] technical and operational measures such as pseudonymization and data minimization.
- Implement technical and operational measures to ensure that only personal data which are necessary for each specific purpose of the processing are processed – involving the amount of personal data collected, the period of storage and their accessibility. In particular, measures shall be taken that default personal data are not made available to an infinite number of natural persons.
- A certification mechanism shall be deployed to demonstrate compliance to paragraphs 1. and 2. above.
Article 32 “Security of processing”:2
- Taking into account the state of the art, the cost of implementation and
the nature, scope, context and purpose of processing; organizations shall implement the appropriate technical and organization measures to ensure a level of security appropriate to the risk, including:
- the pseudonymization and encryption of personal data
- Ability to ensure confidentiality, integrity, availability and resilience of processing systems and services
- Ability to restore access to personal data in a timely manner in the event of a physical or technical incident
- Process for regularly testing, assessing and evaluating the effectiveness of the measures taken to ensure the security of processing
- In assessing the appropriate level of security, specific account shall be taken to the risks caused by accidental or unlawful destruction, loss, unauthorized access to personal data.
Article 33 “Notification of a personal data breach to the supervisory authority”:3
- In case of a personal data breach the organization shall inform the security authority without undue delay and, where feasible, not later than 72 hours after they have become aware of it.
- The notification shall at least:
- Describe the nature of the personal breach and approximate number of data subjects and personal records concerned
- Communicate name and contact details of the Data Protection Officer, if applicable>
- Describe the likely consequences
- Describe the measures taken to address the personal data breach and/ or measures to mitigate the possible effects
For more information on the critical steps to take to increase visibility and control access to your network, read last week’s blog: “Transforming Security through Visibility”