There’s just over two months to go until the EU General Data Protection Regulation (GDPR) finally arrives, and we’re busy helping our customers and partners with their preparations for full compliance. This is a once-in-a-generation update for data protection, and provides a significantly more robust framework to protect our personal data in today’s modern, digital world.
This personal data is subject to a variety of “data processing” activities, whether that’s collection via a website, transmission via a network, processing by an employee or storage within a database, amongst many others. It’s the security of this data processing that is addressed within Article 32 of GDPR, and this text is worth us taking a closer look at.
Article 32 requires that Data Controllers and Data Processors implement appropriate “technical and organisational measures” which ensure a level of data security appropriate to the level of risk which is present during the processing of the personal data. This sentence alone comprises several different requirements, which we’ll take a look at in turn.
Firstly, our organisation should have a detailed understanding of the risks involved if we are to effectively implement measures to manage them. For organisations which have ISO27001 certification (the international standard for Information Security Management Systems), Sections 6 and 8 of the standard require that an effective approach to risk management is agreed and implemented. Whether your organisation has ISO27001 certification or not, the Data Protection Impact Assessments required by Article 35 of GDPR will, done well, provide similar visibility of any risks.
Dependent upon the data processing activity, our risk assessments should examine the threats and vulnerabilities associated with our employees, the systems (hardware, software and networks) we use, and any third-party data processors (including cloud service providers) that we may need to share the personal data with. It’s a complex subject to try to address all of this in a single blog, but essential if we are to ensure the confidentiality, integrity and availability of the personal data which is being entrusted to our care.
Using this risk-based approach, Article 32 notes technical and organisational measures are to be implemented. Let’s look at each of these in turn.
Organisational measures may include:
- A process by which personal data can be identified and classified within an organisation, including its sensitivity/classification, origin, storage location, retention period etc.
- Effective line-management and training of our colleagues, ensuring that they understand the requirements of the data processing activities they undertake
- Employment policies and procedures, which help reduce personal data loss opportunities by controlling the use of social media, removable USB devices, BYOD assets etc.
- Ensuring appropriate contractual provision (meeting GDPR requirements) is in place between the Data Controller and Data Processor
Technical measures may include:
- User access and rights management activities: Is it clear why each individual needs access to personal data records? The use of strong passwords and identity authentication tools.
- The infrastructure is designed and implemented to ensure that systems are securely protected at their perimeter and internal boundaries, e.g. properly configured firewalls
- The use of encryption and anonymisation technologies to reduce the risks to personal data as it is transmitted within our organisation and externally
- Implementing monitoring technologies to report on employee and system access, suspicious behaviours and the breaching (loss, theft or compromise) of any personal data
Article 32 requires that such measures should also be assessed as being “state of the art” and also the costs of their implementation. This suggests that data processing organisations will need to keep abreast of the latest technologies which support best practice in information security and data privacy, whether that relates to data encryption, activity monitoring, behavioural analytics or malware detection. Technical testing for software coding vulnerabilities and weak device configurations is available at a sensible cost, and should be seriously considered by all data processing organisations.
Finally, this Article once again highlights the respective roles of the data controller (who has ultimate responsibility for ensuring that personal data processing is undertaken in accordance with the requirements of GDPR), and the data processor (who undertakes the data controller’s specific data processing instructions on a formal, legal basis). Article 28 reminds controllers that they shall only use processors who can “provide sufficient guarantees to implement appropriate technical and organisational measures” to ensure that the data processing is compliant with GDPR.
The selection and use of demonstrably compliant data processors by a data controller needs to be managed carefully. Contractual obligations should be combined with satisfactory responses to requests for evidence, for example existing security certifications, evidence of personnel training and competencies, visibility of external technical security tests upon applications etc.
In summary, it’s in each of our organisation’s own interests to ensure that personal data processing is both secure and fully compliant with GDPR. Being able to demonstrate this capability is essential if we are to earn the trust and credibility of data subjects, and significantly reduces the risks of the financial penalties that may result.
John Godwin is UKCloud’s Director of Compliance & Information Assurance. As a Certified Data Protection Officer, he is responsible for co-ordinating UKCloud’s preparations for the forthcoming EU General Data Protection Regulation, and is a regular conference and event speaker on information security and data protection matters.