In previous blog articles we looked at the first 2 of the 4 stages you should follow when getting ready for the GDPR. To recap, these are:
- Discovery – identify what personal data you have and where it resides
- Management – govern how personal data is used and accessed
- Protection – establishing security controls to prevent, detect and respond to vulnerabilities and data breaches
- Reporting – executing on data requests, reporting data breaches and keeping the required documentation
In this blog posting we are going to look at stage 3 – protection
Organisations increasingly understand the importance of information security – but the GDPR raises the bar. It requires that organisations take appropriate technical and organisational measures to protect personal data from loss or unauthorised access or disclosure.
Protecting your data
Data security is a complex area. There are many types of risk to identify and consider – ranging from physical intrusion or rogue employees to accidental loss or hackers. Building risk management plans and taking risk mitigation steps, such as password protection, audit logs, and encryption, can help you ensure compliance.
The technology you use obviously plays a critical role here, so it is important that it is able to provide the necessary protection. This includes being able to continuously monitor your resources and provide helpful security recommendations.
Other areas you need to consider include data encryption, (for both when your data as at rest and in transit), and safeguarding cryptographic keys, certificates and passwords.
Many organisations are now using Microsoft technologies that help to deliver the required data protection. From Azure, to protect data in the cloud, through Enterprise Mobility + Security to Office 365 and Windows 10, these technologies offer an integrated and comprehensive security solution to help you meet your GDPR obligations.
Responding to vulnerabilities
In certain cases, the GDPR requires that if a data breach occurs, organisations need to rapidly notify regulators. In some cases, organisations will also need to notify the affected data subjects. In order to meet this requirement, organisations will benefit from being able to monitor for and detect system intrusions.
Once you have detected a potential breach we recommend a four-step process:
- Assess the impact and severity of the event. Based on evidence, the assessment may or may not result in further escalation to a Cyber security / Data Protection response team.
- Conduct a technical or forensic investigation, and identify containment, mitigation, and workaround strategies. If the Cyber security / Data Protection team believes that personal data may have become exposed to an unlawful or unauthorised individual, a notification process begins in parallel as called for in the GDPR.
- Create a recovery plan to mitigate the issue. Crisis containment steps such as quarantining affected systems should occur immediately and in parallel with diagnosis. Longer term mitigations may be planned which occur after the immediate risk has passed.
- Create a post-mortem that outlines the details of the incident, with the intention to revise policies, procedures, and processes to prevent a re-occurrence of the event. This stage is in line with Article 31 of the GDPR to record the facts surrounding the breach, its effects, and the remedial action taken.
To find out more, or to discuss your GDPR obligations, please contact us.