9 Security Measures that will Help Prepare for GDPR

The General Data Protection Regulation (GDPR) will replace the Data Protection Directive (95/46/EC) in May, 2018. Organisations in Europe that handle personal data of any kind, as well as all companies or organisations that share data with entities in the European Union (EU) in the regular course of business, are required to comply with the GDPR.

The end goal of the GDPR, is to provide a set of standardised data protection laws GDPR Readiness will rely to a great extent on the existence of effective data privacy and security measures that will avoid loss, or compromise of personal data.

The following topics summarise key aspects of data security to consider when constructing an effective GDPR compliance plan. Most of these recommended security practices are already recognised by IT and security experts as best practices for secure information governance, so many organisations may already have some aspects of security in line to help comply with GDPR.

 

Network and email security

Major risks of unauthorised network access to personal data include phishing, unauthorised access by advanced persistent threats (APT), ransomware, and other external attacks on the network. Keep firewall, virus protection, and operating systems up to date. Maintain a current inventory of devices (servers, workstations, laptops and remote devices) connected to the network.

Onsite and mobile devices

Update, patch, and migrate users from outdated and insecure browsers, applications, and browser plug-ins. This is important not just for computers, but mobile and IoT devices as well. Keep virus and intrusion prevention tools at the latest available versions.

 Restrict email attachments

Symantec recommends that organisations configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. Ensure that mail servers are adequately protected by security software and that email is thoroughly scanned. Train users to recognise suspicious senders or attachments, and remediation actions to take.

 Effective password policies

Employees and other insiders pose a significant threat of unauthorised access to personal data, so securing access by employees is an important defence. Users’ passwords should have at least 8 -10 characters and a mixture of letters and numbers. Encourage users not to reuse the same passwords on multiple sites or applications. Sharing of passwords should be strictly forbidden. Passwords should be changed regularly—at least every 90 days.

Administrator access control

To comply with the law, there should be no one person in your organization with full access to all files and even your network administrator should have restricted access. It is recommended that the network administrator’s normal user account and his/her account with administrator privileges should be separated and only used when appropriate. This makes auditing and control of administrator actions much simpler.

 Secure data by classification

Understand the sensitivity of various types of data and classify it, then set access policies accordingly. For example, payroll and human resources data is highly sensitive, and should have strictly limited access, and not be duplicated or saved to mobile devices. Other data, for example sales collateral or content shared on the web, may be designated as ‘public’, and will have a lower level of security. When security levels are defined and enforced, educate users in the organisation about secure data practices.

 Encryption

Encryption may, or may not, be required by the regulations, if the organisation handles minimal volumes of personal data. Encryption methods may be implemented on-premises and cloud infrastructure environments, including servers, network encryption, storage, and on physical media. An effective encryption solution will provide encryption of all devices ensuring appropriate protection of the key, and encryption of personal data in transit.

 Pseudonymization

GDPR defines pseudonymization as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” For example, three data points: postal code, gender, and date-of-birth, when stored together make it possible to uniquely identify an individual. By holding the de-identified data separately the GDPR permits data handlers to use data without infringing the rights of data subjects.

 “Privacy by Design”

GDPR requires both data protection by design and data protection by default. This means that data protection safeguards should be built into products and services from the earliest stage of development. Privacy and data protection should become key considerations in the early stages of any project, for example:

  • Creating web forms or customer ordering & communication systems where customer data will be collected
  • Building new IT systems for storing or accessing personal data
  • Developing legislation, policy or strategies that have privacy implications

Executive level accountability

All security processes and structures should be kept at optimal performance through regular audits, effective governance, and incident recovery/response planning. To demonstrate compliance with GDPR, the regulations suggest that a data protection officer (DPO) be assigned and authorised to ensure compliance. The role of the DPO includes issuing audit requirements, reporting breaches, and acting as a point of contact for regulators and data authorities.

July 18, 2017 by James MacGregor

Link to original post http://www.fronteo.com/usa/9-security-measures-that-will-help-prepare-for-gdpr/