Before we jump into the third part of this GDPR , let’s take a moment to think about a few questions. Such as, why are compliance mandates necessary? Are they framed to just prevent data breaches? Are compliance mandates established to just detect and report security attacks? I would say no!
The primary objective of compliance mandates is to help enterprises prove that all is well within their network. Yes! You read it right. IT regulatory mandates are the checklists that help organizations show auditors that security measures are intact and that their network is safe and sound.
With that said, let‘s now focus on the GDPR’s requirements, specifically establishing technical and organizational measures to streamline organizations’ auditing processes.
The appropriate technical and organizational measures to tackle Article 32
The GDPR outlines requirements to ensure personal data safety. Whether it‘s getting consent from data subjects, storing personal data, appointing a data protection officer if needed, or notifying concerned officials in the event of a data breach, the GDPR covers most security aspects enterprises have to look into.
But the GDPR isn’t as clear when defining the technical and organizational measures that a company should adopt. Here are two possible reasons the GDPR is less clear in this aspect:
- Reason #1: There are plenty of applications and platforms that help store personal data. Defining how to adopt policies for each platform or application would make the GDPR adoption process overly complicated. Therefore, the GDPR only outlines the general auditing and security policies that enterprises need to adopt.
- Reason #2: Security threats and data breaches are dynamic. There aren’t any hard and fast rules that define attack prevention. With that said, the best thing for enterprises to do is to adopt regular reviewing and auditing practices for monitoring each of their platforms that handle personal data. Restricting the adoption of best practices to specific applications or platforms would leave a big security loophole.
What does “appropriate technical and organizational measures“ actually mean?
You could store personal data in a database, such as MS SQL or Oracle Database, a file server, or even in a cloud environment. No matter where you store the data, make sure that the following measures are taken to ensure data safety.
- Control who gets to access personal data: Devise proper access controls and restrict personal data access. Grant personal data handling access only to privileged users.
- Audit user behavior: Keep track of when users:
- Access your organization’s personal data storage platform (whether that’s a server, database, or cloud application).
- Alter personal data (E.g. modify, delete, or rename files).
- Perform access modifications, permission changes, and privilege escalations with respect to personal data access.
- Get real-time insights: Ensure that you’ve established a system that notifies you in real time about any abnormal or suspicious activities such as personal data deletion.
- Always have a plan B: No matter what, be sure to retain data backups. That way, you can restore personal data in the event of data loss. Note that you need to get proper consent from data subjects before backing up their personal data. You must also ensure that your back ups are protected from tampering.
Stay tuned for the fourth and final installment of this blog series on the GDPR. We will be discussing the most debated requirement, notification of personal data breaches.