The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
GDPR gives new requirements for technical measures for security of the personal data. According to them each organization has to be GDPR compliant and Nebosystems provides the given actions/services, which are:
- Analysis of the current security state of the IT infrastructure. Some experts call it GAP analysis. The GDPR GAP analysis provides an assessment of organization’s current level of compliance with the Regulation, and helps identify and prioritize the key work areas that each organization must address ahead of May 2018. If a lot corporate services are exposed to Internet, penetration testing is useful practice.
- Risk Assessment. According to GDPR the risks have to be identified and measured. We use ISO model of risk identification and calculation. Document called “Information System Security Risk Assessment Policy” have to be created. In a spreadsheet manner, each software system/solution have to be identified and have to be assessed. For example MAIL Server as system have to assessed. The ERP system, each cloud service, and atc. The idea is every used software/systems to be separated and measured separately.
- Choosing the right practices, software / hardware technologies, tools and solutions to reduce the identified risk such as: encryption; pseudonymization; anonymization; DLP solutions, SIEM solutions, Unified Security Management solutions and etc. After implementation the RISK analysis is done again. IS Security Audit is done too.
- Preparation of the internal information security policy. A document “Information Security Policy” is created. At this document any taken technical measure for securing the personal data have to be defined. In this document we need to define:
- The way users interact with server, workstations, different systems, databases and others;
- The password policy;
- New user registration;
- User right management;
- User access management accordance to “Access Matrix”;
- The access policy;
- WiFi usage is allowed only for guest access;
- The Server Firewall restrictions;
- Network segmentations with VLAN;
- SLA agreements with partners;
- Source code management and control;
- External Access with VPN;
- Some busines specific or IT infrastructure practices.
- Constant 24/7 monitoring and threat detection. Schedule security checks are made and if possible optimization is performed. DPO must notify the appropriate supervisory authorities within 72 hours after becoming aware of it where feasible. That notice must contain information about the nature of the data breach, describe likely consequences of the breach, and measures taken or proposed to address the breach and limit possible adverse effects. These breaches in personal data must be documented and remedial actions must be taken.