Key Security Controls required for GDPR Compliance- Are You Ready?

As most of the organizations must be aware that the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC which was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. As the enforcement date is getting near, it has become extremely important for the organisations to make sure that they have assessed their security, data protection, and privacy controls and made sure that the preventative, detective and corrective controls are implemented well before the enforcement date and tested for effectiveness across the organization and make sure that they are implemented across people, process, and technology. Is your organization ready for the fast-approaching enforcement date?? Let us look at some of the critical security controls that should be implemented to ensure compliance with GDPR requirements for data protection.

"Enforcement date: 25 May 2018 - at which time those organizations in non-compliance will face heavy fines"  There will be substantial fines of up to €20m or four percent of annual revenue

As part of GDPR requirements, one of the requirements states that the data should be protected in a secure manner. Chapter 4 consists of Article 24 to 43 and within chapter 4 consists of Article numbers 25, 32 to 35 which are related to security controls to be implemented in order to comply to GDPR.

• Article 25: Data protection by design and by default

"The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons"

In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects

This is one of the key GDPR principle that states organizations will be subject to a specific obligation to include data protection considerations into a service, process or Technology/product from the outset

So what do organizations need to do in order to comply with this GDPR requirement?

Checklist of activities to be performed by the organizations

• Perform current state risk assessment of the security controls in place and identify the gaps between current and mandated requirements.
• Assign the data protection officer if required.
• Assign the required budget and resources to implement the security controls.
• Map and align with the best practices mandated control requirements.
• Review and update data protection and privacy management procedures including data handling.
• Develop Security, Data protection, and privacy awareness education program.
• Article 32: Security of Processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
5. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
6. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
7. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

• Article 33: Notification of a personal data breach to the supervisory authority

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
3. The notification referred to in paragraph 1 shall at least:

• describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• communicate the name and contact details of the data protection officer or another contact point where more information can be obtained;
• describe the likely consequences of the personal data breach;
• describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
• Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
• The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action was taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
• Article 34: Communication of a personal data breach to the data subject

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
2. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of  Article 33.
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

• the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
• the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
• it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

There are other important controls within the GDPR requirements such as performing data protection impact assessment, Appointing the data protection officer however they are not directly related to the security controls that we are talking about in this article but they are equally important to be implemented to ensure compliance to GDPR regulatory requirement for data protection.

So if the organizations are complying with ISO 27001 series of standards and COBIT framework, ITIL standards, NIST Cyber security framework most of the security controls required as part of GDPR Data protection and privacy requirements are already covered. There is no need to reinvent the wheel again to implement the new security controls. However, if your organization has identified missing security controls in order to protect the data of the data subject then these security controls are required to be tested and implemented well before the enforcement date in May 2018. If the organizations are adopting the industry best practices and standards, it will go a long way in governing and managing the data lifecycle and build better data protection controls, bring trust and transparency over data. Having the controls tested and reviewed regularly will also ensure compliance with the GDPR data protection requirements.

Hope this article is useful to understand the required security controls to be implemented as part of GDPR requirements and adopting industry best practices and framework such as ISO 27001, COBIT, NIST Cyber security framework will help organizations in ensuring GDPR regulatory requirements are met.

Share your GDPR experience and/or feedback below.

Thanks for reading!