Context:
In some cases the GDPR refers to explicit technical measures that need to be implemented such as data encryption and psuedonymisation. In other instances the regulation is vague on what constitutes appropriate security. Therefore there is no definitive list of exactly which technical measures need to be implemented. The measures an organisation chooses should be based on a combination of those measures specifically required by the regulation with the addition of measures that are required to ensure the safety of the information held.
Considerations:
As a first step we would advise all organisations to implement a base level of good IT security practice. There are various standards which can be used for this baseline such as ISO27001 and Cobit but we would recommend as a minimum implementing Cyber Essentials. The free version of Gydeline available here enables organisations to assess and create a plan to comply with this minimum standard.
How to:
Data mapping
Start by understanding which data and types of personal information you are storing and processing. Sensitive types of data require additional IT security measures. Understanding where all of your data is will also assist in understanding who needs to implement technical measures – you will often find that suppliers, cloud services and partners will also need to implement technical measures – which you will need to review regularly.
DPIA
The primary aim of the data protection impact assessment is to identify any risks that exist in your processing operations. Technical measures are some of the main ways in which you can mitigate these risks. Therefore understand what your risks are and target technical measures at these risks.
Implement
Armed with your data map and your DPIA implement the technical measures that these have identified.
Secondly implement the following technical measures which are required as part of the GDPR:
- Data availability – ensure that you have backup, recovery and availability measures in place to ensure the integrity of any personal information you hold
- Data encryption – encrypt the personal information you hold
- Data erasure – ensure you are able to delete any personal information you hold so that users can enact their right to be forgotten
- Data pseudonymisation – where possible anonymise personal information that you hold
- Data expiration – set expiration dates on all the personal information you hold
- Minimise the data you have – reduce the data that you store, collect and process to only the needed information
It is likely that you may not posses all of the technical skills required to implement the above within your organisation. In that case you should speak to your IT provider or alternatively our Brand Partners can assist with technical implementations.
Common Scenarios:
Customer information is stored in a CRM system
- Store only the required information within the system
- Ensure that the CRM system encrypts its data and that effective security is implemented to prevent unwanted access to the system. If the system doesn’t encrpyt data itself, consider encrypting the disks on which the data resides
- Document the process to permanently delete records from the system, including all backup copies
- Set expiration for all data fields
References:
- GDPR Recitals: 29, 71, 74, 77, 78, 87, 88, 114, 156
- GDPR Articles: 24, 25
