The GDPR refers to having the ‘appropriate technical and organisational measures’ in place 89 times, stressing the importance the Regulation places on such measures. However, when it comes to defining exactly what these measures are, the Regulation is not quite as generous!
The GDPR references these measures in areas such as: –
- “a controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures”
- “assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”
- “appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met”
These measures are a requirement for security of processing, preventing breaches, ensuring suitable processors, records of processing activities, privacy by design, a strong foundation for ensuring that rights and freedoms of the data subjects and in many other way; but what are they?
What are GDPR Appropriate Technical and Organisational Measures
Generally speaking, technical and organisational measures are the functions, processes, controls, systems, procedures and measures taken to protect and secure the personal information that an organisation processes.
Recital 78 states that: –
“that appropriate technical and organisational measures [should] be taken to ensure that the requirements of [the] Regulation are met. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.”
The measures taken and implemented by an organisation will relate directly to their size, scope and activities and will of course need to consider the type and volume of personal data being processed. The scope and range of the GDPR’s technical and organisational measures is large, spanning assessment controls such as vulnerability scans and risk management, through to firewalls, enforcing strong passwords and third-party due diligence.
What Measures Should You Consider and Implement?
Dependant on the size of your organisation and the processing activities undertaken, there are a broad range of technical and organisational measures that can aid in securing and protecting personal data. The ICO also suggest utilising established frameworks such as ISO27001 and Cyber Essentials to assess and develop adequate measures.
You can begin by carrying out vulnerability scans on all devices, networks and servers to identify any gaps or areas of weakness and also complete risk assessments on all processing activities to ascertain which pose higher risks to personal data and what measures are needed to lock down security and protections.
Writing or using templates for Information Security policies is an essential part of your organisational measures and can range from one Information Security Policy for small, non-complex organisations; through to a suite of policies which often include: –
- Asset Management
- Access Control
- Passwords & Encryptions
- Remote Access
- Bring Your Own Device (BYOD)
- Clear Desk & Screen
- Secure Disposal
- Business Continuity Plan/Disaster Recovery
Protecting devices, networks and servers is ‘security 101’ and should be implemented regardless of the size and scope of your organisation. Firewalls, malware protection and anti-virus applications are cost effective and easy to use and offer a broad range of protections for the devices and access points to personal data. A few notable media stories last year also highlighted the importance of having up-to-date software and operating systems on all devices and installing updates and patches as soon as they become available.
Employee awareness is pivotal to data security, with staff needing to be aware of their obligations and responsibilities when it comes to the personal data that they handle and have access to. Enforcing strong passwords, having regular information security training sessions and promoting secure environments, such as locking screens when away from desks and escorting visitors around the building can go along way towards protecting data and preventing breaches.
Such measures can be considered as the approach an organisation takes in assessing, developing and implementing controls that secure information and protect personal data. They can include, but are not limited to: –
- Information Security Policies – scope and content will depend on the size of the organisation and type of processing activities. Smaller firms may only require a standard information security policy; whilst more complex or larger firms may require policies in specific areas such as remote access, asset management and password controls
- Business Continuity – regardless of size, all organisations should have protocols and measures in place to back-up personal data and ensure that it can be recovered and maintained in the even of an incident
- Risk Assessment – assessing high risk data and processing activities and developing mitigating solutions to prevent or reduce risks is a preventative measure that is highly effective and in some industries, a legal requirement
- Policies and Procedures – having robust policies and procedures helps an organisation and its employees to know what their obligations are and what to do if certain situations occur. They should be easy to follow to provide intent, objectives and guidelines for adhering to regulations
- Management Information & Reporting – regular reports and information passed to upper management is essential for ensuring that the adequate resources and funding are made available and for accountability at all levels
- Awareness & Training – a culture of security and data protection awareness ensures that employees, contractors and any third-party working for or with the organisation, know what is expected of them and how to maintain compliance. Regular and ongoing training sessions will ensure that they latest information, guidance, legislations and regulations are known and understood
- Reviews & Audits – you may have all of the policies, controls and measures in place, but how do you know that they are working and are still relevant? Reviewing and auditing functions, activities and systems against procedures and regulations helps to know if they are still effective and fit for purpose
- Due Diligence – who you are working with is just as important as what an organisation does itself. There is little point putting extensive security and data protection measures into place if you are going to pass data to a third-party who cannot guarantee its safety or protection. Carrying out due diligence checks on suppliers and service providers (and in some sectors, customers); is an essential and often legal requirement (i.e. fraud checks, anit-money laundering measures)
Usually defined as the measures and controls afforded to systems and technological aspects of an organisation, such as devices, networks and hardware. Protecting such aspects is vital to data security, but goes above securing access to devices and systems.
The points on the right are just a few of the areas that could be considered as ‘technical measures’ and are by no means exhaustive…
- Building Security – you should have robust measures and protocols for securing access to any office or building and ensure that all employees are aware of such controls; which can include CCTV, security lighting and alarms. Visitors should wear ID badges and be escorted at all times and sign in/out of the building. Access to areas processing personal data can be further secured with biometric locks, restricted access and access logs
- Disposal – correct disposal of paperwork and devices, along with protections for those that are lost, also form part of the technical measures required by the GDPR. Shredding and certified disposal of hard-copy records is essential where personal data is contained in paper formats. IT departments or knowledgable persons should be in charge of IT disposal to guarantee effective and complete erasure of any personal data or access
- Cyber Security – this is an area too large to cover in this article, with today’s technology lending itself to advanced forms of hacking, vulnerabilities and constantly evolving threats. At the most basic level, firewalls, malware scans, anti-virus protection and patches and updates are essential on all devices and networks allowing access to confidential and personal data
- Passwords – it should go without saying that forcing strong passwords that are changed on a regular basis should be a standard part of your approach to security. This includes employees being aware that they must not be sharing passwords or leaving systems unlocked when unattended. Password consideration should also be given to new devices, hardware and applications that often come with ‘default’ logins and passwords when first used, which must be changed immeditately
- BYOD & Remote Access – it is quite commonplace now for employees to ‘bring their own device’ to work or to use a company laptop or tablet when outside the office. These devices are often used to access the organisations network and common applications such as emails, and so must be protected, secured and regularly reviewed
- The ICO have greatly increased their ‘Security’ guidance in relation to the GDPR, and now offer suggestions and measures that should be included in your technical and organisational controls – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security
- The ICO also recommend adhering to frameworks such as the governments Cyber Essentials – https://www.cyberessentials.ncsc.gov.uk
- In additional to our many GDPR packages, we also include an extensive Information Security Policy set in our GDPR Toolkit or available as a standalone pack – https://www.knowyourcompliance.com/product-category/gdpr