The EU General Data Protection Regulation (GDPR) will soon be in effect, but many organisations are still working towards compliance. One part of the Regulation tripping people up is Article 32: Security of processing. It describes the technical and organisational measures that organisations should have in place, but it’s densely written and uses unfamiliar terms:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […]
This blog breaks down this chunk of text, focusing on the technical requirements and explaining exactly what it requires organisations to do.
Identify the data you process
Organisations need to know what data they are processing before they can assess the risk that it poses. The first step is to conduct a data flow map to identify:
- Data items (e.g. names, email addresses, records);
- Formats (e.g. hard copy forms, online data entry, database);
- Transfer methods (e.g. post, telephone, internal/external); and
- Locations (e.g. offices, Cloud, third parties).
This will help organisations understand the nature and scope of data processing as well as the state of the art (i.e. whether the organisation is using the most up-to-date technologies and methods).
Perform a risk assessment
Organisations can’t prepare for every threat, so they should instead prioritise the biggest ones. That means conducting a risk assessment determining the probability and damage of each scenario.
You can identify risks by conducting vulnerability scans and penetration tests.
A vulnerability scan is an automated process that finds and alerts organisations about known weaknesses in their systems. There are two types of scan: external and internal. External scans look for ways in which malicious outsiders can exploit the organisation, and internal scans look for threats inside the organisation.
Penetration testing is a controlled form of hacking in which a professional penetration tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the organisation’s networks or applications. Tests can operate on application or network level, and the scope can be adjusted based on departments, functions or certain assets.
Decide upon a risk treatment
There are four ways to treat risks:
- Avoid the risk by eliminating it entirely.
- Modify the risk by applying security controls.
- Share the risk with a third party (through insurance or by outsourcing it).
- Retain the risk (if the risk falls within established risk acceptance criteria).
The action you take will be at your discretion, but you need to be able to demonstrate that it was the most appropriate option. This means documenting your processes and being consistent with your choices.
How to get started
We offer many resources to help organisations understand and meet the GDPR’s technical requirements, but recommend that everybody considers the value of penetration testing. You can learn more about why it is so important by watching Compliance solutions: how can penetration testing support your GDPR project?
This free webinar is hosted by IT Governance’s founder and executive chairman, Alan Calder, and head of technical services, David Grove. They discuss:
- Penetration testing and its role in demonstrating GDPR compliance;
- Implementing technical measures to ensure data security and compliance with Article 32 of the GDPR;
- Why penetration tests are vital in uncovering vulnerabilities before criminals do; and
- How to meet legislative and regulatory requirements and achieve an integrated approach with the GDPR and various cyber security standards.
The webinar takes place on Wednesday, 2 May 2018 at 3:00 pm (BST). If you are unable to attend, the presentation will be available to download from our website.