Much to the dismay of many organisations, the GDPR is officially here. Despite having two years to comply, only 16 per cent of organisations are very confident in their GDPR preparations, according to a recent survey from the Institute of Directors. And, if there’s one area that your organisation needs to be confident about, it’s data security.
Under the GDPR, your organisation should have the following security measures in place:
- The personal data your organisation holds can be accessed, altered, disclosed or deleted only by those you have authorised to do so. In addition, those authorised individuals can only act within the boundaries that you have outlined for them.
- The personal data that your organisation holds is accurate and complete in relation to why you are processing it.
- The personal data remains accessible and usable. For example, if personal data is accidentally lost, altered or destroyed, you should be able to recover it and prevent any damage or distress to the affected individuals.
However, rather than providing a one-size-fits-all security procedure, the GDPR recommends that each organisation conducts a data protection self-assessment. It is important to realise that while your organisation’s data security needs are unique, in general, you should have the following practices in place:
- Analyse the risks presented by your processing, and use this to assess the appropriate level of security you need to put in place.
- Draft an information security policy and implement it.
- Review your information security policies and measures on a regular basis and improve them if necessary.
- Put in basic technical controls such as those specified by established frameworks like Cyber Essentials.
- Use encryption and pseudonymisation where appropriate.
- Understand the requirements of confidentiality, integrity and availability for the personal data you process.
- Ensure that you can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
- Ensure that any data processor you use also implements appropriate technical and organisational measures.
If your preparations are less than sterling or there are gaps, you could be fined up to €20 million or 4 per cent of your annual turnover, whichever is higher. For more information on ensuring that your organisation’s data security is GDPR compliant, contact NC Insurance today.