Introduction
General Data Protection Regulation is a popular data privacy law in the EU. It is a regulation designed to secure personal data and uphold the privacy rights of citizens of the EU. The regulation comprises 99 Articles and 173 Recitals outlining the requirements of the privacy regulation. Among the 99 Articles outlined, the widely discussed GDPR requirement in the industry is Article 32- Security of Processing which talks about the security measures to be taken by organizations to prevent cyber-attack. Elaborating the Article 32 of GDPR we have explained the requirement in this section. Read along to learn about the security processing requirements and how your organization can achieve them.
What is Article 32 of the GDPR?
Article 32 of the GDPR is a technical requirement that covers in detail the security requirements concerning the processing of personal data. It states the technical measures that organizations are ought to take and implement to secure the personal data they handle. Although, the regulation does not specify anything in particular in terms of the techniques or processes to be adopted in particular. But businesses need to ensure that the measures they implement take into account the security of processing personal data. The measures implemented must be effective in terms of protecting data when processing, particularly preventing a data breach. As per Article 32 of GDPR, organizations must implement measures to mitigate risks in data processing including accidental, or unlawful destruction of data, alteration of data, unauthorized disclosure, and/or access to personal data. Given below are some of the technical and organizational measures expected by organizations to implement as a security and preventive measure against any cyber-attacks.
Technical Measures Required in Article 32 of GDPR
When it comes to implementing cybersecurity measures the concept of one size fits all never really works. By this we mean, every organization works and operates differently and so will the data protection practice accordingly vary for each organization. This is why GDPR does not specify data security techniques for organizations but rather suggests implementing measures appropriate to mitigate or minimize the risk exposure to the organization. In order to ensure implementing and maintaining an appropriate level of security and prevent data breaches, organizations must implement the following GDPR requirements
1. Pseudonymising & Encryption of Personal Data
Pseudonymization is a process or technique that de-identifies personal data by replacing the original data with a set of unique identifiers. This way the data can be secured against the potential risk of data breach or theft. It is a simple yet effective approach for data security. However, this requires an added layer of security by encrypting the data, ensuring that the data is unreadable without the decryption keys. This added layer of security makes unauthorized access to data difficult.
2. Confidentiality, Integrity, and Availability of Personal Data
GDPR requires the personal data to be confidential, and that organizations must ensure the integrity, and availability, of the data when processing and offering related services. This means ensuring the personal data is secured and only accessible to authorized personnel. It also means the data processed or stored is accurate and available when required by the data subject. Overall the objective is to ensure that the data is secured against unauthorized access and prevent data breaches. For addressing these issues implementing anti-malware software, and conducting vulnerability assessments and penetration tests are essential. Moreover, enforcing strict policies, procedures and process are equally essential to ensure the practice of data security in the organization. Meanwhile, with appropriate awareness training, emphasis on data security, and implementation of security measures, organizations can work towards reducing the risk of destruction, alteration and prevent misuse of data by employees. Appropriate access control measures, audit trails, and implementation of policies and processes will overall ensure data confidentiality, integrity, and availability of data as required to meet GDPR requirements.
3. Ability to Restore the Personal Data
Organizations are expected to have backups of data and ensure restoration of data in an event of a disruption. To address this organizations must establish business continuity management and disaster recovery management programs to ensure prompt availability and restoration of data. The organization should enforce strong processes that facilitate quick recovery of data. This can be achieved by regularly establishing off-site backups, and reviewing incident response plans.
4. Effectiveness of Security Measures
Organizations need to ensure that there are appropriate technical and organizational measures established to ensure the security of data. Not just that, they also need to regularly review the measures adopted and update policies, and processes to adapt to the evolving threats and technological risks. Regularly conducting scans, technical assessments, and reviewing processes are essential to ensure that the security measures established are effective.
Organizations are required to ensure that the processing of data shall be secured against unlawful, unauthorized processing and disclosure of data while also preventing the loss destruction and alteration of data in hand. Organizations are also required to meet the code of conduct as outlined in article 40 to demonstrate compliance with requirements pertaining to the security of processing data. Further, it is the responsibility of the data controller to ensure that the data processor also adheres to the secure processing requirements and only processes data on the instructions of the controller.
Now that we are aware of the technical and organizational measures to be established for organizations to ensure compliance with these requirements here is a complete checklist that shall help you meet the requirements of GDPR Article 32.
Summary
GDPR Compliance can be a complex process as organizations need to understand and know the requirements that need to meet. However, following a checklist makes this process of achieving compliance easy. Consider the below-given checklist when implementing measures and enforcing policies and processes to ensure all the requirements are covered and established in alignment with the GDPR Article 32 clause.
GDPR Checklist for Article 32
- Review the data security measures established to ensure it meets the above-mentioned requirements of Article 32 of Security Processing.
- Establish and enforce data security policies and procedures to maintain and monitor all the technical and organizational measures.
- Regularly test security measures to identify flaws in systems, processes, and policies.
- Create additional policies to address gaps in the security measures and improve the effectiveness of the existing security measures.
- Implement technical controls to meet the required level of security for processing personal data.
- Ensure establishing security measures that help meet the GDPR requirements of maintaining the confidentiality, integrity, and availability of personal data.
- Ensure establishing measures for data restoration and availability in an event of a disaster.
- Implement additional security measures in case of changes in the data processing activity.
- Establish appropriate data security measures to meet the code of conduct as required and as stated in Article 32 of GDPR.
- Establish processes and policies that ensure the data processor also implements appropriate technical and organizational measures.
- Establish processes and policies that ensure the data processor having access to the personal data do not process the data until they have the authorization to do so from either the controller or required by the law.
Follow the compliance checklist and the organization will surely manage to meet the requirements of Article 32 GDPR. Understanding the requirements and implementing appropriate measures is the key to achieving compliance with the GDPR data privacy regulation.
Guest article written by: Narendra Sahoo (PCI QSA, PCI QPA, PCI SSLCA, PCI SSFA, CISA, CISSP, CRISC, CEH, and ISO27001 LA.) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm based in the United States, Singapore & India. Mr. Sahoo has more than 25 years of experience in the IT industry, with expertise in Information Risk Consulting, Assessment, and Compliance services. VISTA InfoSec specializes in Information Security audit, consulting, and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance, and Audit, PCI PIN, SOC2, PDPA, and PDPB, to name a few. Since 2004, VISTA InfoSec has worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.