A version of this blog was originally published on April 24 2018.
Although the EU GDPR (General Data Protection Regulation) is now in effect, many organizations are still working towards compliance. One part of the Regulation tripping people up is Article 32: Security of processing. It describes the technical and organizational measures that organizations should have in place, but it’s densely written and uses unfamiliar terms:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […]
This blog breaks down this chunk of text, focusing on the technical requirements and explaining exactly what it requires organizations to do.
Identify the data you process
Organizations need to know what data they are processing before they can assess the risk that it poses. The first step is to conduct a data flow map to identify:
- Data items (e.g. names, email addresses, records)
- Formats (e.g. hard copy forms, online data entry, database)
- Transfer methods (e.g. post, telephone, internal/external)
- Locations (e.g. offices, Cloud, third parties).
This will help organizations understand the nature and scope of data processing as well as the state of the art (i.e. whether they are using the most up-to-date technologies and methods).
Organizations need to perform a risk assessment
You can’t prepare for every threat, so you should instead prioritize the biggest ones. That means conducting a risk assessment to determine the probability and damage of each scenario.
You can identify risks by conducting vulnerability scans and penetration tests.
A vulnerability scan is an automated process that finds and alerts organizations about known weaknesses in their systems. There are two types of scan: external and internal. External scans look for ways in which malicious outsiders can exploit the organization, and internal scans look weaknesses within the organization.
Penetration testing is a controlled form of hacking in which a professional penetration tester, working on behalf of an organization, uses the same techniques as a criminal hacker to search for vulnerabilities in the organization’s networks or applications. Tests can operate on application or network level, and the scope can be adjusted based on departments, functions, or certain assets.
Decide upon a risk treatment
There are four ways to treat risks:
- Avoid the risk by eliminating it entirely.
- Modify the risk by applying security controls.
- Share the risk with a third party (through insurance or by outsourcing it).
- Retain the risk (if the risk falls within established risk acceptance criteria).
The action you take will be at your discretion, but you need to be able to demonstrate that it was the most appropriate option. This means documenting your processes and being consistent with your choices.
How to get started
We offer many resources to help you understand and meet the GDPR’s technical requirements, but recommend that everybody considers the value of penetration testing. You can learn more about why it is so important by watching Compliance solutions: how can penetration testing support your GDPR project?
This free webinar discusses:
- Penetration testing and its role in demonstrating GDPR compliance.
- Implementing technical measures to ensure data security and compliance with Article 32 of the GDPR.
- Why penetration tests are vital in uncovering vulnerabilities before criminals do.
- How to meet legislative and regulatory requirements and achieve an integrated approach with the GDPR and other cybersecurity laws and frameworks.
This presentation takes place on Tuesday, November 20, 2018, at 1:00 pm (EST). If you are unable to attend, the recorded webinar will be available for download from our website.
You can discover how to prepare for a data breach by visiting our #BreachReady page. We break the process down into six simple steps and recommend tools and services you can use to complete each task.