GDPR sets out seven key principles;
- Lawfulness, fairness, transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
In this, and future editions of the newsletter we’re going to be taking a more in-depth look at these principles, one principle per newsletter to try to add some clarity to your GDPR thoughts.
We’ll start with principle 6, the security principle, it has relevance to the business travel story in this edition of the newsletter.
Much of the security side of the GDPR is not very new to anyone. The Data Protection Act 1998 (the Act 1998) which was replaced by the GDPR required companies to have ‘appropriate technical and organisational measures’ in place to ensure data security. Much of what was described as good, or best practice in the Act 1998, is a legal requirement under the GDPR so there’s a distinct possibility that you’re already very well prepared for the requirements of this principle.
There is no ‘one-size-fits-all’ GDPR, it is based upon appropriateness for your business, you should consider things like risk and cost of implementation when deciding what security measures to take. It’s also not just about cybersecurity, you need to consider physical and organisational security measures as well. Many of the cases reported by the ICO relate to incidents where information in a physical form (print outs, back up discs, old computers etc) have been left in unsecured premises and are therefore compromised.
One thing is certain however, you need to get your ‘CIA triad’ spot on! The GDPR requires that data is:
‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’
You also have to be able to restore availability to personal data ‘in a timely manner’ in the event of an incident. And there’s your C.I.A. – Confidentiality, Integrity and Availability. If any one of these is compromised, you’re likely to have problems so any security measures you put in place need to guarantee all three. Ensuring that people can only access what they really need to do their job, that its correct, and they can get to it when they need it is no mean feat! Oh, and there’s a requirement for you to regularly ‘stress-test’ the systems you have in place to ensure that they really are adequate and to show that you’re addressing any areas of weakness.
Now all you need to do is apply all of this to your office/s, to any data processor you might employ, to those folks who work from home (all of the time, or just some of the time) and then there’s the people who travel for business….
But wait, you’re employing us as your DPO, so actually all you really need to do is grab yourself a cup of tea and give us a call to make sure we’ve got everything taken care of for you.