IT Security Systems and Compliance with the General Data Protection Act
14 July 2021
When the new rules for the General Data Protection Regulation (GDPR) effective on May 25th 2018, it became quite the hot topic with all businesses that hold personal data, some found the transition easy but a lot did not. Before writing this blog, we asked some colleagues and clients what was the first thing that came to mind when they heard ‘GDPR’. In response, some said, ‘not sure as it confuses me’ but others used words such as security, protection, data, personal information, change and Surveillance.
The penalty for non-compliance with GDPR is up to £17.5 million or 4% of annual global turnover – whichever is higher. The potential for substantial fines has vastly changed the way organisations approach their data protection and security practices. In terms of an organisation’s IT and cybersecurity, what are data protection controls that need to be in place from a security perspective to ensure GDPR IT and cybersecurity compliance?
Let's break it down below……….
What is the General Data Protection Regulation?
Since the UK left the EU, GDPR has been incorporated into UK data protection law as the UK GDPR and in summary, UK GDPR is a regulation on data protection which applies to data subjects within the UK. UK GDPR gives control to UK data subjects regarding how their data is processed, stored, or transmitted. The effect of GDPR reaches to all corners of the globe, making this legislation applicable to organisations outside the EU.
Let’s look at some technical controls that are needed to ensure that you are compliant with GDPR
Identity and Access Management
Having the proper Identity and Access Management controls in place will help limit access to personal data for authorised employees. The two key principles in Identity and Access Management, separation of duties and least privilege, help ensure that employees have access only to information or systems applicable to their job function.
What does this mean in terms of GDPR? Only those who need access to personal information to perform their job have access. In this situation, privacy training should be available to those individuals to ensure that the intended purpose for the collection of personal data is maintained.
Data Loss Prevention
Relevant to GDPR, Data Loss Prevention helps prevent the loss of personal data.
Technical safeguards, such as a Data Loss Prevention tool, are critical in preventing a breach. According to GDPR, organisations, whether they are the controller or processor of personal information, are held liable for the loss of any personal data they collect. Incorporating Data Loss Prevention controls adds a layer of protection by restricting the transmission of personal data outside the network.
Encryption and Pseudonymisation
Pseudonymisation is a difficult to spell, and an even more difficult one to pronounce! The UK GDPR defines pseudonymisation as “…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”. This hard-to-say word may include field level encryption in databases, encryption of entire data stores at rest, as well as encryption for data in use and in transit.
Pseudonymisation is more advisory than a requirement but if an incident leading to a security breach occurs, investigators will consider if the organisation responsible for the breach has implemented these types of GDPR technical controls.
Third Party Risk Management
If an organisation entrusts the processing of personal data to a processor or sub-processor, and a breach occurs, who is liable?
The short answer is Liability for all parties!
Processers are bound by their instructions, but GDPR data compliance also obligates processors to have an active role in the protection of personal data. Regardless of instructions, the processor of personal data must follow GDPR and can be liable for any incidents associated with loss or unauthorised access to personal data. Any sub-processors also will need to comply with the GDPR based on each contractual relationship established between a processor and sub-processor.
As you can see, GDPR IT and cybersecurity compliance is just as important for third-party bodies as it is internally for an organisation if those third parties process, store, or transmit personal data.
Policy is the accountability part for the previous data security controls.
To be effective, policy must receive organisation wide buy in to manage and update data security controls in an always changing IT and cybersecurity environment. Organisational policy and training ensure policies are effectively communicated and understood by all parties.
If managed and followed accordingly, policy management is a foundation for compliance toward GDPR.
What to Take Away….
As explained, GDPR requirements are more than a box ticking exercise. If you process personal data, then you must make sure the correct controls are in place to ensure compliance.
Explore the security controls for data protection that you have in place to support GDPR requirements to ensure personal data is accounted for, protected, and processed correctly.
We at A Plus Security have been working with clients to ensure that they have the correct controls in place for there systems and we continually monitor changes and assist them in making sure that they are conformed and that they have comfort in their systems.