28 Feb GDPR – 4 tips for addressing the security requirement
Article 32 of the GDPR titled “Security”, contains only 135 words describing the security requirements. Specifically, Article 32 states:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Unlike HIPAA and the PCI Data Security Standard, for example, the GDPR does not contain specific security requirements. This approach provides flexibility and the opportunity to make security decisions that make sense for the organization given its technology complexity, business processes and overall risk profile. However, this flexibility also carries a risk that a regulator could take the position that your organization’s security measures do not meet their view of “appropriate”, which is a term included three times in Article 32. You also need to remember that your organization’s security practices could come under the scrutiny of a Data Protection Authority and therefore you need to be ready to demonstrate and defend the approach and operational effectiveness of the security controls in place.
Below are 4 high level tips to help you demonstrate and defend the organization’s security efforts.
- Use a recognized security framework – if your organization does not already use a security framework such as ISO 27001/2 to guide your security program, select a framework, or combination of known frameworks that will inform the components of the overall security program. The ISO framework is internationally recognized and tends to be a favorite for multi-national organizations but certainly is not the only one.
- Manage security risk – not all security risk is equal and not all risk can or should be eliminated. It simply is not realistic, cost-effective or necessary. Thankfully, the GDPR recognizes that reality. However, you still need to assess security risks and take reasonable steps to mitigate significant risks, implement compensating controls or justify why an unmitigated risk will be accepted. Every organization should use a risk framework, such as that published by NIST (NIST 800-30: Risk Management Guide for Information Technology Systems), and have a process to evaluate and govern risk. If your organization does not currently have a formal process to identify, document and manage security risks, leverage the NIST or another framework to make improvements. This does not mean that your organization needs to implement every element in any particular framework, but instead it will serve as starting point or reference to help ensure the necessary elements of risk management are addressed.
- Documentation is your friend– when there is an issue that results in an investigation or audit, the success of the organization’s defense will be directly related to the strength of the “show and tell” that is presented to the regulator or auditor. Documentation is the “show “piece of the defense that can used to demonstrate that security controls are in place (e.g., a list of all employees who complete the security training) and are operating effectively (e.g., the access control logs show that an unauthorized access attempts to a system with personal data were identified and investigated). Maintain a reasonable level of documentation to demonstrate and defend the security controls in place.
- Continuously “read and react” – technology, business requirements and legal requirements will continuously change over time. As a result, new risks will emerge, and new or different security controls will be needed. This will be an endless cycle and requires that the organization be continuously adapting and refining its security posture to be responsive to new risks. Security, like privacy, is an on-going process, not a one-time project.
There are now less than 460 calendar days to the GDPR effective date and required compliance.