What is meant by considering the “state of the art”?
Consensus of security professionals
You should place weight on this sort of industry consensus when determine whether to implement a particular control/systems etc
What is meant by “appropriate technical and organisational measures”?
This can include:
- Technical controls
- Organisational policies and procedures
Up to the controller and processor to decide what’s appropriate to their particular circumstances of their processing
the measures should be sufficient to ensure things like:
- Pseudonymisation and Encryption
To ensure
- Confidentially
- Integrity
- Resilience
Of the personal data
What kind of risks should you take into account when considering what might be appropriate security measures?
Think about the consequences of the following things happening to the data:
- Accidental or unlawful destruction of data
- Loss of data
- Alteration of data
- Unauthorised disclosure of, or access to, personal data
Especially if leads to physical or material damage
Think about
- the nature of the data to be processed
- context, purpose and scope of the processing
- threats to the data
- harms that could result from a breach
(So if SCD is being processed, this will need enhanced protection and security measures)
What security measures should you have in place?
It has to be appropriate to the risk of processing
- the more sensitive, the more security you need
- the context of the processing (e.g. is it a sensitive context)
- purpose of the processing
- scope of processing (the more data you’re collecting, the stronger measures you need to have in place as the consequences of losing the data would be more significant)
Take into account state of the art and cost of implementation
What are security controls?
They are the actual processes used to to ensure the security of an information system
The system must provide prompt notification if a control fails
What are the four main attributes which security controls need to have?
- Confidentially
Individuals, entities, systems or applications access data on a need to know basis - Integrity
Controls are in place to ensure data is accurate and complete (links to accuracy principle) - Availability
Data is accessible when needed for a business activity - Resilience
Data is able to withstand and recover from errors or threats (a roll-back option with a content management system is an example of this, as it can help data withstand and recover from threats, including errors)
(CIA - is already common in InfoSec practice, but resilience is new)
What are some practical considerations to think about when implementing security controls?
- Management and worker buy-in
- A policy framework
- The physical environment in which the data is stored
- information technology
- incident detection and response
What is a policy framework?
The repository for all the organisation’s rules for confidentiality and security
It contains:
- the security objectives and scope
- roles and responsibilities
It should be approved by management, communicated to all employees and relevant external parties and should be reviewed periodically
Give some examples of IT security measures that can be used to protect personal data
- Encryption (GDPR specifically suggests implementation of pseudonymisation and encryption)
- Antivirus and anti-spam technology
- Firewalls
- Identity and access management
- Incident detection
- Data loss prevention
- Two-factor authentication
- IP log management
- Regular security code peer review
What is the purpose of incident detection and response?
Regular testing of technical and organisational measures assesses and evaluates their effective
This also helps ensure the ability to restore availablity and access to personal data in a timely manner if it is lost
Article 28 says that controllers should only hire processors who can provide sufficient guarantees to…?
- Implement appropriate technical and organisational measures
- in such a manner as to ensure processing will meet the requirements of the GDPR
- and ensure the protection of the rights of the data subject
In addition to a contract, the term “sufficient guarantees” covers assurance mechanisms such as appropriate checking and vetting of the processor
(E.g. through a 3rd party assessment of certification validations before and after creating a contract)
(remember the notes around not just relying on contractual assurances in the RTB report)
Under Article 28, what information does a processor contract need to include?
- the subject matter and duration of processing
- the nature and suppose the processing
- type of personal data
- categories of personal data
- obligations and rights of the controller
Is the processor liable for non-compliance by their sub-processor?
Yes, they are
