The Cyber Security Checklist: Keeping Your Data Secure

It might be challenging to know where to start when tackling a topic as difficult and complex as cyber security. How do you go about preserving your digital assets if there is no quick cure or action that can be made at a specific time to solve your cyber security issues?

The GDPR, or the UK's post-Brexit interpretation, The Data Protection Act 2018, will probably be familiar to you if your company keeps or processes any form of personal data. What, though, does this substantial body of law have to say about cyber security?

According to the "integrity and confidentiality" principle of the GDPR's article 5 - "Principles relating to the processing of personal data" - organisations are required to safeguard personal data "against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures."

The act frequently uses the phrase "technical and organisational measure" throughout its length, although it never goes into detail on what is necessary. To assist you, we've put together a checklist of the essential organisational and technological steps you need to do to comply with this crucial requirement of the UK GDPR.

But first, what is meant by ‘appropriate’ in this context?

Simply put, it means that your actions should be consistent with industry best practises and appropriate for the degree of risk involved. The GDPR is a fairly sensible piece of law that recognises that there are practical restrictions on the kinds of safeguards and controls that data processors can implement. Consider the following when deciding if a measure is "appropriate":

  •          The sensitivity level of the data. ‘Special category’ data for example should be subject to more sophisticated protections.
  •          The level of risk the data is subject to (quantifiable using risk assessments).
  •          Industry best practice. You should aim to implement the best protections feasible rather than those simply considered acceptable.
  •          Cost of implementation.

A supporting document incorporating some of the aforementioned arguments should be made for each "technical and organisational" step you implement in order to demonstrate compliance. Basically, you want to show that your protection is appropriate for the dangers involved.

Organisational measures

In order to facilitate the security of personal data, processors should implement and carry out internal procedures, practises, policies, and other actions known as organisational measures. Although firewalls and antivirus software are frequently thought of when discussing cyber security, organisational measures also play a significant part. Key organisational measures include, for instance:

Business continuity planning

Business continuity and backup solutions are clearly required by the GDPR, with article 32 saying that data controllers and processors shall make sure:

 

The capacity to quickly restore availability and access to personal data in the event of a technological failure.

A compilation of documents known as a business continuity plan (BCP) describes how your company would react in the case of a disruptive incident, such as a cyberattack, robbery, flood, or office fire. You should draught documents for various contingencies that include information on any backup systems that might be used to restore personal data. To protect the integrity of data that hasn't yet been affected, your plan should also detail how you'd isolate and contain problems.

Information Security Policies (ISP)

A thorough information security policy guarantees that everyone in your organisation has access to a manual on data security best practises and provides the framework for implementable solutions. Your ISP should provide details about the following in a broad and comprehensive manner:

  •          Both authentication and access. It ought to specify who has access to what information and what authentication safeguards ought to be in place to regulate access.
  •          Categorisation of data. Your organization's data categories, associated risk profiles, and processing and access implications should all be outlined in your information           security policy.
  •          Data archiving. The policy should explain the numerous backup options that should be used, as well as specifics about extra security measures like encryption.
  •          Training in security awareness. Any security awareness training that staff members must complete should be specified by the ISP.
  •          Employee obligations. A comprehensive list of all employee obligations in relation to your data security goals should be included in the policy. These obligations can             include establishing safe passwords, establishing "acceptable usage" guidelines for mobile devices, and making sure that papers are physically stored and discarded           in a secure manner.
  •          Technological measures in detail. Every technical protection mechanism that data must be subject to at all times should be listed in the policy.

 

Risks assessments

Assessments of the risks to data security are essential for maintaining GDPR compliance. A risk assessment is a process that enables you to identify, investigate, and quantify the threats to your data. A risk assessment should be used to support each "technical and organisational" measure you put in place so you can confidently claim that they are "suitable" as needed by the integrity and confidentiality principle.

Security training and cyber security awareness

The most frequent type of cyber security threat is end-user focused attacks. Therefore, a programme of staff security awareness training is highly effective for preventing threats like phishing and other social engineering attacks. Your information security policies should include information on security training.

Regular audits

You must implement a variety of technological and organisational measures and then regularly audit them to determine how effective they are. In reality, the GDPR contains a particular provision for this in article 32, which directs data controllers and processors to implement the following measures:

"a procedure for periodically testing, reviewing, and assessing the efficacy of technical and organisational methods for maintaining the security of the processing"

These audits are essential to ensuring the effectiveness of the safeguards in place and will assist you in demonstrating to the information commissioner's office that you have made a good-faith effort to comply with your data security obligations.

Due diligence checks

In the case that you delegate data processing tasks to a third party, it is your responsibility to make sure that they have taken the essential organisational and technical steps to secure data, as mandated by the GDPR. This should be established through careful due diligence investigations, the results of which should be kept on file.

Conclusion

Assuring compliance is a serious matter that should not be taken lightly given that the maximum fine for a UK GDPR violation is a staggering £17.5 million. This article gives a brief summary of the organisational measures needed, whose adoption will help secure the personal information you hold and show that you are complying with the law in a sincere manner. We'll describe the "technical measures" needed to comply with UK GDPR in our upcoming article so you may evaluate your data security architecture.