Overview Why it's vital to safeguard data
The General Data Protection Regulation (GDPR), introduced by the European Union in May 2018, is groundbreaking data privacy law. The purpose of GDPR and regulating personal data is to ensure personal data is better protected, and also give people control over how their information is used. GDPR building on pre-existing law, applies not only to organizations in the EU, but also to any organization in the world that uses the personal data of EU citizens. This makes mark the GDPR a global standard in data protection. Under GDPR, organizations are required to follow a strict set of rules in how they handle personal data (i.e., collect, store, process, share). GDPR outlines key principles for organizations to adhere to, including: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality.
GDPR cyber security requirements
Article 5
Personal data shall be processing in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Article 32
The capacity to maintain the continued confidentiality, integrity, availability and resilience of processing systems and services. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of personal data processing.
Article 33
Strong processes for the identification and investigation of personal data breaches, as well as the obligation to report a breach within 72 hours to a relevant authority.
Article 35
A Data Processing Impact Assessment (DPIA) of the processing operations on the protection of personal data.
Data protection
Who does the GDPR apply to and what data needs to be protected?
There are obligations imposed by the GDPR upon both data ‘controllers’ and ‘processors’. A data controller is someone or entity that decides on the purpose and means of data processing, whilst a data processor is described as any third-party (such as a cloud service provider), that processes data for a data controller. The GDPR has accepted the definition of ‘personal data’, as defined in the Data Protection Act ‘any information relating to an identified or identifiable natural person’. However, the GDPR definition extends beyond that of the DPA, and includes online identifiers (such as IP addresses and web cookies) as well as biometrics such as fingerprints.
How to minimise your cyber security risk for GDPR compliance
Through attacking your network controls and actively looking for exploitable threats, Our cyber security services (vulnerability assessments, penetration testing and managed threat detection and response) can support you to satisfy the information security and breach reporting requirements of the GDPR.
Our consultancy and services can assist you in meeting the compliance requirements of GDPR in the following ways:
