Cyber Security in General Data Protection Regulation (GDPR)

By: Pradeep Mahangare, Project Manager – Assurance Services

The EU GDPR directs the biggest transformation to data protection laws, with the intent to strengthen and unify data protection for all individuals within the European Union, which comes into effect from May 25, 2018.

This mandates businesses to set up procedures for regular security tests, assessing and evaluating the effectiveness of technical and organizational data security measures for ensuring the “security of the processing”.

Most organisations set up a team that keeps the data and systems secure by placing appropriate physical and logical controls, providing the network and host layer protection, and performing fundamental security validation tests. However, many times these controls fail to secure the systems and data, as a result of improper quantifying and inspecting processes in place. This could lead to major financial and reputational impact to the organizations.

Recent attacks such as WannaCry and Petya Ransomware are a few examples of major information security incidents, subsequently questioning the GDPR readiness of organizations. Organizations need to set up appropriate security measures to prevent unlawful and unauthorized processing of personal data, which could lead to accidental loss or deliberate destruction of data. This failure to comply with GDPR could result in fines up to 4% of the global annual turnover for the preceding financial year.

To ensure data security, GDPR will enforce organizations to look at the following key points:

  • Data loss protection
  • Data breach identification and notification
  • Data discovery, cataloging and classification
  • Cloud storage and sharing services
  • Pseudonymisation
  • Encryption of personal data at rest and in transit
  • Regular security testing

Cyber Security Role:
Safeguarding the ongoing confidentiality, integrity, availability and resilience of processing systems and services, is a requirement of the GDPR. This can be achieved with the help of skilled data protection consultants.

Moreover, organizations need to look for Cyber Security Incident Response Services which can help in the event of any incident that restores the availability and access to personal data in a timely manner, and tracks down the likely cause of the breach.
Additionally, organizations need to invest in Cyber Security Incident Response Services, that help to identify any incident which could lead to data loss or data breach. These services are a proactive monitoring mechanism that help in data recovery by providing insights and adequate information from the incident log.

In order to validate the efficiency of controls implemented at various data entry and exit points, a risk-based approach needs to be adopted. Cybersecurity consultants will help organizations to adopt this approach and validate database security, OS/host security, application security, network security and perimeter security, by providing advisory and risk validation services. Such tests need to be done at regular intervals to ensure data security and meet GDPR compliance needs.

In 2018, GDPR compliance will be the key!

Time for a Reality Check: Are Your Systems Ready for GDPR Compliance?
Digital Disruption or is it?