GDPR is here to stay

With the introduction of the GDPR and the Data Protection Act (2018), it’s clear that the threat of harm extends beyond mere embarrassment and bad publicity: the mis-handling of data may result in criminal charges against the officers of the organisation.

All organisation process personal data and, even for a modest SME, this may include such diverse data categories as employee financials, health, genetic, biometric and biographic. Of your customers, this may include identity documents, passwords, credit card and innumerable other pieces which – alone or combined – might cause the risk of financial harm, physical harm, embarrassment or distress.

The Security Principle

The GDPR enhances prior legislation and now places an absolute requirement upon every organisation: if you process personal data, you must do so securely. Article 5(1)(f) concerns the ‘integrity and confidentiality’ of personal data – in short, it is the GDPR’s ‘security principle’. It states that personal data shall be:

"...processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures"

Common sense comes into play: your responsibility is to protect the data in such a manner that the protection is appropriate to the risk of disclosure or loss of access.

Data protection and the security of processing

Alongside the security principle, the GDPR contains further specific provisions. It makes data protection by design a legal requirement (this concept was known previously as ‘privacy by design’). Article 25 mandates that, at the time of the determination of the means of the processing (i.e. the design phase of any processing operation) and at the time of the processing itself, organisations shall put in place appropriate technical and organisational measures designed to implement data protection in an effective manner, and to integrate the necessary safeguards into the processing.

Whether you're a controller or a processor, you also have specific security obligations under Article 32, ‘Security of processing’. These require you to put in place appropriate technical and organisational measures to ensure a level of security of both the processing and your processing environment

"The measures you implement should be appropriate to the risk presented" - NCSC

These provisions turn what is considered good security practice into a legal minimum. They go further than the obligations of the Data Protection Act 1998 and introduce established information security concepts into data protection legislation, including: 

🔸 Minimisation of personal data collected
🔸 Managing, limiting and controlling access to personal data
🔸 Protecting the classic ‘CIA triad’ (Confidentiality, Integrity, and Availability) of personal data
🔸 An emphasis upon the resilience of processing systems and services, and the ability to restore availability to personal data in the event of an incident
🔸 Regular testing of the effectiveness of measures implemented

 

Of the many thousands of pages of guidance on the GDPR as it relates to cyber security, some of the best is offered by the NCSC, who propose that ‘the measures you implement should be appropriate to the risk presented’. This is as it should be: you need not spend a fortune to protect all data from all risks!

 

Have you read:

Cyber Security Red on Grey

5 second snapshot

Part of our Cyber Security Series

The GDPR and the Data Protection Act (2018) are the regulatory and legislative teeth to make Cyber Security a board-level imperative for years to come

Recent Posts

Subscribe to our Blog

 

Humperdinck Jackman, Author

Humperdinck Jackman

Director of Consulting Services

Humperdinck has a 30-year career spanning Document Management Systems (DMS), data protection, Artificial Intelligence, Data Protection and Robotic Process Automation. With many articles published in print internationally, he believes the advances in office technology are such that we're entering the 4th Industrial Revolution. Now Director of Marketing and Consulting Services at Advanced UK, he's as active with clients as he is in endeavouring to write original blog articles.