Do’s and Don’ts of GDPR Data Security – a Journey to Compliance and BeyondPreparing for GDPR may sound complex but there are things you can do (and avoid) to ensure your security approach supports compliance By: Hadi Hosn
I'm going to start this GDPR guide about the do's and don'ts of compliance with the easy bit – the don'ts.
Firstly, don't panic. With the right guidance and help, meeting the GDPR's data security requirements can lead not just to compliance but also to an enhanced security posture and even business enablement benefits.
How you get there is dependent on the second don't, which in turn informs our checklist of do's. Don't assume that you can obtain security compliance and these benefits with technology alone. Instead, any truly effective approach to security when preparing for GDPR compliance must cover three aspects – prevention or technology, people and process.
All too often, it seems that organisations think that throwing technical solutions at a security problem will prevent it and make it go away. Worse still, some suppliers are guilty of promoting the message that a technical fix is all you need. But there's so much more to security than just prevention and that's as true of complying with GDPR as it is of any other framework or programme.
In fact, a strong security programme recognises that prevention is not possible 100% of the time. If you can't prevent every threat from getting through, whether you can detect the breach and how you respond to it could make the difference between GDPR compliance and one of GDPR's new majorly punitive fines from the regulator of up to 4% of global annual turnover or €20million, whichever is greater.
Because compliance, and being able to demonstrate it, just isn't optional, SecureWorks has developed a four-step methodology to ensure that your organisational security measures work towards GDPR data security compliance and not against it:
- Know Your Data
- Assess Your Current State
- Build the Programme
- Test, Operate & Manage
Join our webcast to find out more about our methodology: Your GDPR Plan: 4 Steps to Bolster Security and Meet Compliance
The checklist below complements the full methodology and forms some great, practical, guidance focused "do's" involving people and process that help take you a long way on your journey to a GDPR ready security posture.
GDPR Data Security Compliance Checklist
- Know Your Data
- Have Good Risk Management
- Implement Comprehensive Policies and Procedures
- Implement Appropriate and Effective Controls
- Have Effective Incident Response Procedures
Know Your Data
Implicit within every aspect of GDPR is the requirement for the data controller to know their data – what it covers and where it is held. Without this, ensuring consent would be impossible and so would effective data security.
This also involves looking at data flows and the underlying systems that allow the data to be processed. All these areas must be assessed against the data security requirements of GDPR gap analysis. The output of any GDPR Maturity Assessment should lay out data scope, flows, gaps in compliance and potential risks.
Have Good Risk Management
For reasons that we have explored in a related white paper, a risk based approach to security is both crucial for security and core to GDPR preparation. Article 32 requires that measures implemented must ensure a level of security appropriate to the risk. Indeed, there are multiple references to levels of risk throughout GDPR, with Recital 76 in particular describing risk evaluation. This clearly implies a responsibility on the controller to identify and understand those risk levels.
Risk based security ensures that priorities are established and decisions are made through a process of evaluating data sensitivity, system vulnerability and the likelihood of threats. This is a key component of knowing your current state and essential for building an appropriate GDPR compliant programme.
Figure 1: Risk Scenario Prioritisation
It's an entire holistic approach, building an understanding of risk and prioritisation into every security related decision. This risk-based security approach can be used as one of the main methods of objectively identifying what security controls to apply, where they should be applied and when they should be applied.
Implement Comprehensive Policies and Procedures
Article 5 calls for appropriate measures that are both technical and organisational, with Article 32 going into detail about some of these measures. These may include adherence to authorised codes of conduct drawn up by national regulators and procedures that prevent unlawful processing or destruction of records.
We believe that this "do" will form a major part of any GDPR compliant programme and together with the next "do", it fits directly into the third step in our four-step methodology. With your increased understanding of where your business-critical data and other assets reside and who has access to them, you need procedures to ensure you have full visibility of possible vulnerabilities and threats. You need to clarify and document who is accountable for security and ensure that high risk users are fully trained. And you need to have clearly laid out processes for incident response.
Doing all this will result in formalised processes and workflows, with responsibilities assigned for data management in a way that puts you in a far better position to demonstrate GDPR data security compliance.
Implement Appropriate and Effective Controls
The next step is to implement technical controls for data management and security, monitoring and detection, response and remediation.
Article 32 also provides examples of technical controls that may be appropriate to ensure security appropriate to risk. The role of this blog is not to recommend specific products and it is clear from GDPR that you should select the controls that fit the risks posed. Just don't forget that technical controls alone are not enough to make you compliant.
Have Effective Incident Response Procedures
GDPR Article 32 requires data controllers to be able to "restore the availability and access to personal data in a timely manner in the event of a physical or technical incident". The ability to respond in an organised and prepared fashion to a breach can make the difference between a slight bump in the road and a widespread, reputation-damaging event with high costs from lost productivity, lost sales, and compliance penalties.
This involves several steps. First is having the ability to detect that a breach has taken place. Then, if an incident occurs, you must know how you are going to respond to that incident. Who's going to be involved from a people perspective? Who decides if, when, and how to inform others of the breach, including your clients, regulators, and internal stakeholders? The GDPR explicitly lays out requirements for breach notification to the appropriate supervisory authorities. We will look at this in greater depth in our final blog/article post in this series.
All of these steps require defined processes that must not just be developed and implemented but also tested to ensure they work.
This may sound a lot to prepare for by May 2018, when GDPR compliance becomes mandatory, but as I said at the beginning of this blog post, there's no need to panic. Working with a trusted security partner can greatly ease your GDPR compliance journey and bring benefits that extend well beyond compliance alone. SecureWorks offers a pragmatic and holistic guidance to GDPR data security readiness through its four-step methodology and through a wide range of services, from acting as an early warning system, minimising risk of data breaches, to delivering actionable security solutions to prevent, detect, rapidly respond and predict cyberattacks on personal information in scope of GDPR.