I. Introduction

The General Data Protection Regulation (GDPR) is an EU regulation that soon celebrates five years of being in force (May 25th). GDPR compliance is essential for organisations inside or outside the EU that handle personal data of EU/EEA residents or offer them goods or services. Since Brexit, the UK has had its own version of the GDPR; simply called the UK GDPR. These legislations specifically call for the security of processing in Article 32. This post will elaborate on a list of different types of security measures that your organisation can consider.

For another type of legal discussion, please visit my previous article on this topic. But here comes a slightly modified paragraph from that article as a sneak peek:

The chosen measure must be appropriate to the risks posed by processing, meaning that the law does not require absolute security. Instead, both controllers and processors are required to assess risks to know which measures are appropriate, and which are not, for them and their processing. The analysis of different measures includes assessing the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, and the risks to the rights and freedoms of natural persons. — And if you want to know more about the factors that go into that assessment, please visit the post through the link above.

For now, let’s get cracking at some measures!

II. Some Security Measures for GDPR

The first measure that I want to talk about is access controls. It means that you limit access to personal data to only those employees who need it to perform their jobs. By changing who can view, use, or have access to the restricted environment. For instance, a customer service representative may need access to customer data to resolve an issue, while a marketing specialist may not. Access controls can be implemented through, e.g., password-protected accounts, role-based or department-based access.

A measure that is implemented more and more these days is multifactor authentication. It works by adding an extra layer of security to password-based authentication by requiring users to use more than one method of authentication, such as a security token (time-based one-time password or TOTP comes to mind), or a biometric scan. This prevents unauthorized access even if a password is compromised.

Encryption is a very common measure, which is the process of converting data into a coded language that will protect the information from unauthorized access. By encrypting personal data, organisations can ensure that even if a data breach occurs, the data is unusable, since it will look like gibberish. Remember, encryption can and is probably used for all kinds of personal data that you keep.

Data backup is essential to prevent data loss in the event of a security breach or catastrophic failure. The personal data inventory should be backed up regularly (and other informational assets to be honest) to a secure location, preferably off-site, and make sure that the data can be restored if needed. It should ensure the ability to restore the availability and access to personal data promptly.

Personnel training is a measure that should lead to employees understanding the importance of data privacy and how to recognize and prevent risks. Overall, the aim is to also lower the risk of things happening due to the human factor, since it most often is the weakest link in the privacy program. Training could cover topics such as password management, phishing scams, and social engineering, among other things. Depending on the circumstances, it is a good way to introduce and compel your organisation to the requirements of the GDPR and your data protection policy.

A measure to decrease the consequences of a potential incident or breach is to have an incident response plan (IRP). An IRP outlines the steps to be taken in the event of a security breach or other incident that could compromise personal data. It should include every step of the way (with procedures) from identifying, to containing the incident, and notifying affected individuals and the supervisory authorities in question. Have a look here to read an excellent article on the topic.

Two measures with a similar theme, borrowed from the very common ISO 27001 framework, is firstly, vulnerability scanning and management, which can help to identify weaknesses in security systems and address them. They should be conducted at least annually or whenever there is a significant change in the organisation’s IT environment. And secondly, penetration testing (pen-test) is a type of proactive measure where you simulate attacks to identify weaknesses in security systems and plug them before something happens. Pen-tests can be conducted by internal or external security experts regularly.

The organisation should also make sure that devices are updated with software that protects known security vulnerabilities from being exploited. Organisations should especially make sure that security patches and updates are promptly rolled-out to all software used in the processing of personal data. This could be formalised in a System update policy.

The technical measure of network segmentation is the practice of separating different parts of the network into subnetworks to prevent unauthorized access to sensitive data. Segmented networks can be created using firewalls, virtual private networks (VPNs), and other types of technologies. This improves network security by reducing the attack surface and containing potential threats within a smaller area. By limiting access to sensitive data and systems, network segmentation helps to prevent unauthorized access and data breaches. There are downsides to consider as well. Besides costs, it can increase the complexity of network management, as there are more subnetworks to configure and maintain. Additionally, if not implemented correctly, it can create new security risks and impact network performance if not designed and implemented correctly.

A firewall is an excellent measure that is controlling and filtering network traffic, detecting and preventing threats. It helps to protect against unauthorized access to networks and systems. It is usually configured to block incoming traffic that does not meet specific criteria, such as IP address or port number. On a similar note; An intrusion prevention system (IPS) can give additional protection by monitoring networks and systems for signs of unauthorized access or malicious activity. These systems operate in the network layer, analysing traffic as it flows through the network. It can identify a wide range of threats, including viruses, malware, trojans, worms, and denial-of-service (DoS) attacks.

Then there of course are various physical security measures, such as secure entry controls, CCTV, and alarm systems. That can help prevent access to physical locations where personal data is stored or processed.

A well-thought-out and comprehensive Data Protection Policy, attached with more specific policies and procedures (clean desk, bring your own device, and remote work policies; data breach or data subject request procedures, and the IRP) are another type of measure, called organisational measures. It is even written out in Article 24(1) of the GDPR. It should include a process for regularly testing, assessing and evaluating the effectiveness of the security measures to ensure that they continue to meet GDPR requirements. This could include security audits, pen testing, or vulnerability assessments.

Furthermore, there are a variety of assessments that can be utilised as a measure to increase overall security. Like a regular risk assessment, which can help to identify vulnerabilities and threats to personal data. They can for example be done annually or whenever there is a significant change in the organization’s IT environment. To manage vendors, you can use a vendor assessment to ensure that those who handle personal data on your behalf are GDPR-compliant and have proper technical and organisational measures in place.

Pseudonymisation is a great measure that involves replacing personal data points (e.g. name, address) with pseudonyms, so that you need to combine additional information to identify the data subject. This naturally makes it more difficult to identify individuals if done correctly, and the additional information is under its own security measures. Keep in mind that it is still personal data, since the data subject is identifiable, unlike anonymisation where the data subject is not or no longer identifiable.

Measures for protecting data during transmission between systems or networks. This may involve using secure communication protocols (e.g. HTTPS), end-to-end encryption, and implementing specific access controls for transmissions.

Events logging is logging and monitoring events related to personal data, such as access attempts, changes, and deletions. This can help detect and investigate security incidents or breaches.

System configuration is that you ensure that IT systems are configured securely, including default configurations. This may involve disabling unnecessary services, applying security patches, and hardening the system to reduce vulnerabilities by, e.g., removing or disabling unnecessary software and services and implementing secure configuration settings for operating systems, applications, and network devices.

Obtaining a certification such as ISO 27001 or SOC 2 by a third party enhances trust and could demonstrate compliance and adherence to the frameworks. It usually includes a rigorous risk assessment where security risks have been identified and mitigated effectively.

Measures for ensuring data minimization involve limiting the amount of personal data collected and processed to only what is necessary to achieve their specific purpose. This can help reduce the risk of data breaches or unauthorized access to personal data. So what you should do is to examine and scrutinise the collection and subsequent use of personal data for your purposes.

Various measures for ensuring data quality refer to the steps taken to ensure that personal data is accurate, complete, and up-to-date. Ensuring data quality is important for several reasons. First, inaccurate or incomplete data can lead to incorrect decisions, which can have serious consequences. Second, ensuring data quality is a legal requirement under the GDPR, as personal data must be accurate and up-to-date. To ensure data quality, organizations may implement some measures. These may include:

• Data validation: Implementing checks and controls to ensure that the data being entered into the system is accurate and complete.
• Data cleaning: Removing duplicates, inconsistencies, and inaccuracies from the data.
• Data standardization: Ensuring that data is consistently formatted and structured across the organization.
• Data profiling: Analysing data to identify patterns, anomalies, and inconsistencies.
• Data enrichment: Enhancing the data with additional information from external sources.

Establishing policies and procedures for the retention and deletion of personal data. This may involve setting retention periods for different types of personal data, and implementing processes to ensure the secure deletion of the data once it is no longer needed.

Appointing responsible persons, including establishing clear lines of responsibility for data protection and security within an organization. This may involve designating a Data Protection Officer (DPO), amending the IRP for incident response and reporting, and regularly reviewing and evaluating data protection and security practices.

III. Conclusion

This post has highlighted various security measures that organizations can implement to comply with the GDPR. The appropriate security measure must be chosen based on the risks posed by processing and the assessment of various factors such as cost, context, and nature of the processing. Best of luck with the implementation, and remember to keep monitoring and evaluating the security measures to ensure their effectiveness and relevance!