GDPR, Data Security and Understanding
There has been a great deal of hype regarding GDPR and scaremongering continues about fines within the media, social media and general marketing. Despite the attention, the issue of data security is not always mentioned perhaps because it is an implicit requirement but GDPR is very specific as the extract below shows: -
“…, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”
The key to the Article 32 is risk. GDPR is a risk orientated regulation, thus, as every Practice holding and processing personal data will need to assess the risks and develop a security system that can be deemed as appropriate. The risks in question will include more than just Cyber Threats; IT system failures; denial of access to premises; accidental or even malicious data loss; and the list goes on.
This article cannot address all the actions required when preparing to be ‘GDPR Ready’, however, there are two steps that can should be taken, in my opinion, without delay, namely, 1) reviewing/developing a security system; and 2) gaining a full understanding of the data in use in the business.
I recommend adopting a security accreditation to implement data security in a structured manner. There are a number of benefits from this approach – use of a framework developed by experts; being seen as having adopted a recognised standard by both clients as well as regulators; possible mitigation against fines; and simply good business practice.
The standards available can be split into two groups: pragmatic such as Cyber Essentials and ‘10 steps to Cyber security’; and risk based such as ISO 27001 & IASME (27001 ‘lite’).
Cyber Essentials should be considered as a minimum and requires proper configuration of existing infrastructure. Thus, no further expenditure is generally required beyond checking the configuration is appropriate and paying the £300 fee to be assessed online on a self-certifying basis. In addition, an audited certification level is available and known as Cyber Essentials Plus.
The IASME standard provides an excellent and holistic approach to data security and is suited to SMEs. In addition, this standard can be achieved on both a self-certification and audited basis similar to Cyber Essentials.
IASME have further developed a self-certifying online assessment for GDPR which builds upon Cyber Essentials and IASME standards. It is anticipated that the IASME ‘GDPR Ready’ assessment will meld into the eagerly unanticipated ICO 'GDPR' accreditation.
The longer a business has been operating for, the more data it holds, the more processes it has to create data, and the more widespread the storage of the data can be. It is key that there is a full understanding of the data being stored and that personal data and any special category data is identified.
The degree of difficulty of this task will depend upon the systems and applications in place. For example, if the business depends heavily on word processing documents, spreadsheets, small databases then it is likely to be faced with a significant workload to fully understand the data and importantly where it is and how many copies exist.
On the other hand, a structured end to end application that effectively runs the business can contain much of a business’s data in one place. Most businesses sit somewhere in between this range.
The use of ad-hoc databases created for a short-term purpose is widespread and again these stores of data need to be challenged – are they still required, should the data be deleted, and is the purpose still valid?
Adopting a security standard such Cyber Essentials is a sound basis for demonstrating that the integrity of data systems is taken seriously by the organisation and in turn helps to demonstrate the principle of Accountability that GDPR requires.