SOFFID BLOG

GDPR and data security

Feb 17, 2021 | Resources, soffid

The General Data Protection Regulation (GDPR) is the most significant overhaul of European Union (EU) data protection legislation in over 20 years. Amongst other things, it is intended to provide better protection to individuals and to give greater certainty to organizations in navigating data protection across EU member states

It includes 99 articles or clauses covering virtually every aspect of business and information management – everything from the consent to collect and process information, to the “right to be deleted”.  Importantly for global businesses (including those outside the EU) the GDPR is supra-national, therefore any business that processes the data of EU citizens will fall under its remit, not just European businesses.

For cyber security professionals, the drive for data protection and information management is not new; although the level of detail, the requirements on data breach notification and the fines in GDPR impose a lot more focus.

As the scale of the cyber threat is revealed, organizations should welcome the data security requirements laid down by the GDPR as an opportunity to reduce the risk of data breaches. After all, if an organization’s data is compromised, regulatory fines may be the least of its worries

While the GDPR introduces severe penalties for compliance failures, it will also force organizations to pay more attention to data security in the face of the looming cyber threat.

How to comply with the 5 cyber security clauses of GDPR 

For security monitoring and operations in GDPR compliant businesses there is increased focus on both prevention and avoidance of security and privacy breaches.  Further, it is imperative to be able to respond quickly when a problem does occur, understand it and take action.  The 72 hours allowed to notify the government authority is accompanied by an expectation that affected data subjects will be communicated with promptly.  As a minimum, businesses handling personal data will need to:

  1. Engage DPO to be part of the access and authorization approval processes.
  2. Use identity governance tools to get access attestation as well as prevent unauthorized access.
  3. Create a catalogue of roles to identify the personal data contained in each application. Track and timely review each one of these roles.

Shall we talk about your needs? Our team can help you with your cybersecurity projects.

Sources:
(1) Dreamhost
(2) gdpr.eu

Related Articles