Published on Oct 29, 2021
Over the last three articles, we've been writing about the different steps involved in carrying out a GDPR compliance audit and GDPR readiness assessment. In the first part of the series, we discussed how to conduct a data mapping exercise to identify what personal data your organisation holds. This was followed up with a blog about establishing a lawful reason for processing, and more recently, we wrote about conducting a GDPR policy and privacy information review. Now, in the final part of the series, we turn our attention towards the physical and technical measures that enable you to process personal data securely.
The information and data you hold are constantly at risk from a variety of threats across physical and digital domains. The types of attacks that your organisation is vulnerable to range from indiscriminate non targeted cyber-attacks, to the potentially more dangerous malicious targeted attacks that probe all your defences for exploitable weaknesses, along with insider threats, which can be both intentional or accidental.
Regardless of the threat, protecting data assets is a thankless task. One in which you are forever chasing your tail and putting out fires to ensure that the confidentiality, integrity, and availability of your systems remain intact at all times. It can often feel like you're only noticed when things go wrong, which is not the kind of attention anyone wants in their role. This is often the case when it comes in the form of angry and disgruntled customers or service users following an unauthorised disclosure of personal data. At which point, where there is an actual risk of harm, the Information Commissioner's Office (ICO) may choose to open an investigation for a breach of the UK general data protection regulation (GDPR).
For the seasoned information security professionals, avoiding this kind of attention and all the associated negative reputational impacts that come with it is a reward in itself. Therefore, the sensible approach is to ensure appropriate technical and organisational measures are in place, alongside robust test and review processes to determine the effectiveness of your security measures so that you can carry out improvements as required. This brings us back to the topic in question—how to conduct a GDPR data security review.
A key GDPR principle is the requirement to have in place appropriate data security. Article 5(1)(f) states personal data shall be:
Following on, Article 32 of the GDPR requires the implementation of:
For more information, the ICO provides organisations with detailed guidance on how to process personal data securely.
If you take the security of personal data seriously, you need to regularly test the control measures put in place to ensure that they provide the necessary level of protection. Read on to discover the six steps required to conduct an effective data security review.
Information risk assessments are a fundamental aspect of GDPR compliance. They are used to identify and evaluate the risks that could result in accidental or unlawful destruction, loss, or disclosure of personal data. This involves identifying any internal or external threats to vulnerabilities within your systems and then assessing the likelihood of occurrence when weighed against their impact and the potential harm that they could cause.
Risk assessments are often time-consuming and complex in nature. They require a methodology to be agreed upon upfront to ensure consistency and allow you to consider your priorities effectively. While risk assessments can be carried out manually, numerous data discovery tools are available to help manage this important compliance activity.
To conduct a GDPR information risk assessment, you will need to have identified what personal data assets your organisation holds - see our article on data mapping.
Alongside your information risk assessment, ensure all relevant data protection, security, and IT policies are in place, up to date, and reflective of the measures necessary to address risk appropriately - take a look at our article on conducting a policy review.
Where personal data is processed by external service providers (processors), ensure that a written contract exists, including clauses for information security and GDPR compliance. As part of your due diligence, ask for details about their privacy management practices and, where possible, visit their premises to check whether they have suitable security arrangements in place. Also, make sure that contracts include a requirement to delete or return any personal data when the contract ends.
Privacy and security are essential elements in your organisation's culture and particularly where GDPR compliance is concerned. This applies throughout the organisation, from senior executives through to frontline employees. Ensure that a robust governance structure is in place with internal guidelines for data processing along with securing data and that all staff understands how they play an individual role in privacy and GDPR compliance management.
Check that all employees involved in the processing of personal data receive regular awareness training clearly outlining internal privacy and security policy guidelines. See our GDPR Training Paths resource for more information about how to implement a culture of privacy.
Due to the complexity of security risks faced today, issues such as threat management, breach detection, and intrusion prevention are often prioritised over physical security. The security of your offices and storage facilities may seem obvious, but these measures must be checked to review who has access, as well as when and how. This includes whether visitors require an escort and whether employees challenge people they do not recognise. Also, make sure paper records and documents are disposed of securely.
It is important to maintain an up-to-date record (asset register) of all the IT equipment and applications used throughout the business and who the asset owner is, as not all systems are purchased using a central budget. This should include where the equipment is located and whether it is a portable device or used in a work-from-home environment. A procedure to check hardware assets are returned on termination of employment or contract must be in place too.
User access controls, password or authentication processes, firewalls, and malware protection systems should all be in place, along with patch management, systems monitoring, and regular backups.
Also, assess the risks of mobile working, including working from home, and ensure policies are in place that set permissions or restrictions for different devices. For example, laptops and removable storage devices such as USB drives should be encrypted to minimise the risk of a data breach if they are misplaced or stolen.
The responsibility is placed on you to have suitable processes in place to identify, report, manage and resolve any personal data breaches. This includes providing training to employees so that they know how to recognise and respond to presumed breaches of personal information.
Confirm that your processes are in place to assess each loss of personal data on a case-by-case basis to determine whether they meet the criteria to notify the ICO or inform the data subject(s).
Whatever the cause of the breach, check your systems are sufficient to enable an investigation into the cause, to implement recovery plans, and to learn how to prevent the same breach from happening again in the future.
Good data security ensures that a business can function normally and take advantage of the opportunities that technology offers. The decision about how often to conduct a data security review is down to each organisation. You may choose to perform them monthly, quarterly, or bi-annually. However, at a minimum, it's recommended these audits be performed at least twice a year.
In addition to conducting data security reviews, we recommend performing the ICO Security checklist to assess whether your practices align with their recommended guidance. Who should conduct a data security review? In most cases, it will involve a team rather than a single person. Those carrying out the review will require knowledge of data protection and privacy compliance, information security, risk, and IT. They will also need the ability to facilitate the improvements and changes highlighted during the process.
Alongside the certified data protection training courses we offer from BCS and the IAPP, we have added two new professional qualifications; the BCS Certificate in Information Security Management Principles and IAPP Certified Privacy Technologist.
COVID-19: FLEXIBLE, LIVE ONLINE BCS & IAPP TRAINING NOW AVAILABLE - PLEASE CONTACT FOR DETAILS