There are few things organisations fear more than data breaches. They cause immediate delays, are expensive and could lead to long-term reputational damage.
The stakes were raised with the enforcement of the EU GDPR (General Data Protection Regulation) in May 2018. It demands adequate security measures and has been widely publicised, as it has the potential to levy large fines against non-compliant organisations.
Knowing that you need to comply with the Regulation doesn’t necessarily equal easily implementable actions. For example, you might know that you need to improve your staff awareness programme, but you might not know how to do that.
Fortunately, IT Governance is here to help. This blog summarises six tools that are essential for helping you comply with the GDPR, focusing specifically on the prevention of and response to security incidents.
When identifying a data breach under the GDPR, you’ll need to find out who has been affected, how extensive it is and how it happened, all within 72 hours. This can pose a challenge for any organisation, especially when you are having to juggle all the other repercussions of the breach.
The Data Breach Support Service will help you respond to an incident or data breach quickly and in line with the GDPR’s requirements, enabling you to get back to your normal business operations with minimal interruption and hassle.
This service will give you expert support and advice, preventing breaches from doing any more damage than they already have.
You can determine how appropriate your defences need to be by assessing the way information flows through your organisation. Your aim should be to keep as little personal data as possible and to transmit and store it in as few locations as possible.
To do this, you will need to conduct regular data flow maps. That might sound time-consuming, but you can speed up the process by using Vigilant Software’s Data Flow Mapping Tool. It simplifies the mapping process and makes it easy for you to review, revise and update maps when needed.
With this tool, you can create consistent visual representations of the flow of data through all your business processes without having to resort to more time-consuming methods, such as pen and paper or vector graphics.
Assessing the likelihood and impact of a data breach is best done through a comprehensive information security risk assessment.
Vigilant Software’s vsRisk is a leading information security risk assessment tool that delivers fast, accurate, auditable and hassle-free risk assessments year after year. Fully aligned with ISO 27001, it cuts the consultancy costs typically associated with information security risk assessment.
Under the GDPR, data breaches that involve human error require you to provide the ICO (Information Commissioner’s Office) with details of your staff awareness training programme.
If you don’t have a programme, or want to improve your existing measures, you should take a look at our Information Security Staff Awareness E-Learning Course. It teaches employees about the most important elements of information security, and aims to reduce the likelihood of human error by familiarising non-technical staff with security awareness policies and procedures.
Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, looks for vulnerabilities in the same way a criminal hacker would. It’s essential for rooting out problems before a network or application goes into use.
Our penetration testing packages provide a complete security testing solution for your websites and IT systems. The fixed-cost packages are ideal for small and medium-sized organisations, or those with no prior experience of security testing.
All organisations should consider appointing a DPO (data protection officer) to oversee their data protection practices. Some will be required to do so in order to comply with the GDPR. This will be the case if they:
- Are a public authority or body;
- Regularly and systematically monitor data subjects; or
- Process special categories of data on a large scale.
Finding a qualified professional to fill the role can be difficult. As such, you might consider outsourcing the role with our DPO as a service (GDPR). One of our data protection experts will act as a remote DPO, working with you to understand your organisation and its compliance requirements. They’ll complete the necessary tasks and provide you with guidance whenever you need it.