Vulnerability Assessment


In order to determine if the appropriate technical security measures have been implemented, notice needs to be taken of the risks associated with processing.


The GDPR identifies several specific risks which need to be considered. Production of a vulnerability assessment, in isolation or as part of a wider Data Protection Impact Assessment will show that you have at least considered these areas.

Make sure to include assessments from all stages of data processing: collection, processing, storage, destruction and when transferred to a third party.

How to:

Document and regularly review vulnerabilities and risks in the following areas:

  • Data destruction – do you have systems in place to prevent accidental or unlawful destruction of data
  • Data loss – do you have systems in place to ensure that you do not lose any data
  • Changes – do you manage changes to data and do you ensure that changes cannot be made without appropriate authorisation
  • Access control – do you ensure that access to data is limited to only those that need it
  • Transfer of data – do you ensure that where data is transferred either internally or to a third party,  it is done so securely
  • Storage – where you store data do you ensure that it is secure and encrypted

The risks and vulnerabilities identified will guide some of the technical measures that are either already or should be implemented. Further advice on these should be taken from a specialist IT provider.

Common Scenarios:

A customer asks to have their preferences updated

  • A system should be in place to record what changes are made. In the eventuality that a mistake is made these changes can then be rolled back. The person making the changes should either have the appropriate level of authority or be made aware of the required process to gain such approval as needed. In all cases an appropriate backup should exist to protect in the case that errors or data losses occur.

Data is transferred to a delivery supplier

  • A review should already have been carried out to ensure that the systems of the supplier are adequately secure. When making the transfer the connection mechanism (email, file transfer etc) should be encrypted so that the data cannot be intercepted. Ideally the data itself should be encrypted so that in the case it is intercepted no risk is presented to the data subject.


  • GDPR Recitals: –
  • GDPR Articles 32

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts