ICO and NCSC have recognised that there is a lot of confusion as to the technical security required to comply with data protection obligations. New guidance has been set to consider what are appropriate measures.
GDPR requires you to have a level of security that is “appropriate” to the risks presented by your processing. You need to consider this in relation to the … costs of implementation, as well as the nature, scope, context and purpose of the processing. This reflects both the GDPR’s risk-based approach, and that there is no “one size fits all” solution to security.
This means that what’s “appropriate” for you will depend on your own circumstances, the processing you’re doing, and the risks it presents.
It is recommended in the guidance that an outcomes-based approach is adopted that is built around the following aims to:
- manage security risk
- protect personal data against cyber attack
- detect security events
- minimise the impact.
In the guidance, under each of the aims above, measures are highlighted that organisations may wish to consider. Under Protect personal data against cyber-attack it is stated that a business should have ‘proportionate security measures in place to protect against cyber-attack which cover:
- the personal data you process and
- the systems that process such data
The sub-headings provided set out the measures that organisations may wish to consider. These are also useful when checking the processes an organisation has in place as it would seem likely that regulators may ask for documentation around each of the headings in the event of an investigation. The sub-headings are:
- B.1 Service protection policies and processes
- B.2 Identity and access control
- B.3 Data security
- B.4 System security
- B.5 Staff awareness and training.
If you have any further questions please contact us on 0161 339 4989 or firstname.lastname@example.org.