GDPR & Security
It is now a legal requirement under UK law for all organisations that process personal data (data related to living individuals) to regularly test the security of their IT infrastructure and applications. Some of the key security requirements under the GDPR include:
Data protection by design and by default: Organisations must implement data protection measures throughout their information processing systems, from the initial design phase of new systems to their ongoing operation.
Data minimization: Organisations should only collect and process personal data that is necessary for the purposes for which it is being processed. They should also limit access to personal data to authorised individuals.
Pseudonymisation and encryption: Personal data should be encrypted or pseudonymised to protect it from unauthorised access or disclosure.
Security incident management: Organisations must have appropriate security incident management processes in place to detect, investigate, and report personal data breaches.
Regular security testing and assessments: Organisations must regularly test and assess their technical and organisational security measures to ensure that they are effective in protecting personal data.
Contractual requirements: Organisations must ensure that their contracts with third-party service providers include appropriate data protection and security requirements.
Staff awareness and training: Organisations must ensure that their staff members are aware of their data protection obligations and receive appropriate training to help them fulfill those obligations.
Overall, the GDPR requires organisations to take a risk-based approach to data protection and to implement appropriate technical and organisational measures to protect the personal data they process.
The official guidance from the Information Commissioner's Office (ICO) states:
Are we required to ensure our security measures are effective?
Yes, the UK GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place. What these tests look like, and how regularly you do them, will depend on your own circumstances. However, it’s important to note that the requirement in the UK GDPR concerns your measures in their entirety, therefore whatever ‘scope’ you choose for this testing should be appropriate to what you are doing, how you are doing it, and the data that you are processing. Technically, you can undertake this through a number of techniques, such as vulnerability scanning and penetration testing.
While the law requires you to conduct regular testing it does not prescribe exactly how often and what kind of testing you must perform - it is up to your organisation and your specific circumstances to ensure that both the regularity as well as type of testing performed is appropriate under the requirements of UK GDPR.
First of all, you need to have a documented risk assessment to demonstrate that you have considered what is appropriate given your business circumstances. Organisations need to demonstrate that a risk assessment has been conducted that took into account all relevant risks and led to implementation of appropriate technical and organisational measures, including particularly risks specified in Article 32:
Accidental or unlawful destruction,
loss,
alteration,
unauthorised disclosure of,
or access to personal data
transmitted, stored or otherwise processed.
Based on your risk assessment you need to implement appropriate technical and organisational measures to address them. The key here is to focus on what is appropriate; note that measures can be technical and/or organisational. Examples of such measures may include:
Data security obligations in contracts and service agreements
Data security obligations in contracts of employment
Strong (two-factor) authentication
Security event logging, correlation and monitoring
Network, host and Web application firewalls
System and data access control, monitoring and reporting
Regular or automated deployment of security updates
Adoption of secure software development practices such as BSIMM
In any case measures implemented must be appropriate, adequate and effective - and they must be regularly tested. Examples of testing may include:
Vulnerability Scanning & Assessment
Penetration Testing
Independent certification schemes such as ISO 27001 and Cyber Essentials
Internal audit
In future: GDPR certification schemes
How do you evidence compliance with Article 32? Generally speaking you would need:
Documentation demonstrating an adequate risk assessment not older than 12 months that identifies processes / infrastructure / applications that process personal data,
and documents what technical / organisational measures are/are to be implemented to address relevant risks, including at least the risks specified in Article 32,
Evidence that measures documented as implemented are actually implemented,
Security testing / assessment / evaluation report(s) not older than 12 months with a scope of testing that includes at least the measures documented in the most recent risk assessment, and confirms that the measures are effective or documents action plan to address any measures that were found to be inadequate or ineffective.