How to Demonstrate Compliance With GDPR Article 32

Technical Commentary

GDPR Article 32 asks organisations to take a risk-based approach to data processing that takes into consideration several key variables:

• A thorough risk assessment that takes into consideration the accidental or unlawful destruction or alteration of personal data, access to data and how data is managed.
• Researching technical measures that mitigate risk across the entire organisation.
• Implementing techniques and measures that deal with any risks that are most likely to occur.
• Codes of Conduct that hold the organisation and individuals within it accountable for their actions when handling data.
• Guarantees to data subjects that anyone interacting with their data is doing so in an appropriate and lawful way.

ISO 27701 Clause 5.2.1 (Understanding the Organisation and Its Context) and EU GDPR Article 32 (3)

Organisations need to undergo a mapping exercise that lists both internal and external factors relating to the implementation of a PIMS.

The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.

Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.

This includes:

• Reviewing any prevailing privacy laws, regulations or ‘judicial decisions’.
• Taking into account the organisation’s unique set of requirements relating to the kind of products and service they sell, and company-specific governance documents, policies and procedures.
• Any administrative factors, including the day-to-day running of the company.
• Third party agreements or service contracts that have the potential to impact upon PII and privacy protection.

ISO 27701 Clause 5.2.3 (Determining the Scope of the Information Security Management System) and EU GDPR Article 32 (2)

ISO recommends a thorough scoping exercise, so that organisations are able to produce a PIMS that first meets its privacy protection requirements, and secondly does not creep into areas of the business that aren’t in need of attention.

Organisations should establish and document:

1. Any external or internal issues, as outlined in ISO 27001 4.1.
2. Third-party requirements as outlined in ISO 27001 4.2.
3. How the organisation interacts with both itself and external bodies (e.g customer touchpoints, ICT interfaces).

All scoping exercises that map out a PIMS implementation should include a thorough assessment of PII processing and storage activities.

ISO 27701 Clause 5.2.4 (Information Security Management System) and EU GDPR Article 32 (2)

Organisations should seek to implement, manage and optimise a Privacy Information Management System (PIMS), in-line with published ISO standards.

ISO 27701 Clause 5.4.1.2 (Information Security Risk Assessment) and EU GDPR Article 32 (1)(b) and 32 (2)

Organisations should map out and implement a privacy protection risk assessment process that:

• Includes risk acceptance criteria, for the purposes of carrying out privacy protection assessments.
• Provides a framework for the comparable analysis of all privacy protection assessments.
• Pinpoints privacy protection risks (and their owners).
• Considers the dangers and risks inherent with the loss of ‘confidentiality, availability and integrity’ of PII.
• Analyses privacy protection risks alongside three factors:
• Their potential consequences.
• The probability of them occurring.
• Their severity.
• analyses and prioritises any identified risks in accordance with their risk level.

ISO 27701 Clause 5.4.1.3 (Information Security Risk Treatment) and EU GDPR Article (32)(1)(b)

Organisations should draft and implement a privacy protection/PII ‘risk treatment process’ that:

• Implement a privacy protection ‘risk treatment plan’.
• Identifies how a PIMS should treat individual risk levels, based on a set of assessment results.
• Highlights a series of controls that are required to implement privacy protection risk treatment.
• Cross reference any controls identified with the comprehensive list provided by ISO in Annex A of ISO 27001.
• Document and justify the use of any controls used in a formal ‘Statement of Applicability’.
• Seek approval from any risk owners before finalising a privacy protection risk treatment plan that includes any ‘residual’ privacy protection and PII risks.

ISO 27701 Clause 6.11.1.2 (Security in Development and Support Processes) and EU GDPR Article 32 (1)(a)

Application security procedures should be developed alongside broader privacy protection policies, usually via a structured risk assessment that takes into account multiple variables.

Application security requirements should include:

• The levels of trust inherent within all network entities (see ISO 27002 Controls 5.17, 8.2 and 8.5).
• The classification of data that the application is configured to process (including PII).
• Any segregation requirements.
• Protection against internal and external attacks, and/or malicious use.
• Any prevailing legal, contractual or regulatory requirements.
• Robust protection of confidential information.
• Data that is to be protected in-transit.
• Any cryptographic requirements.
• Secure input and output controls.
• Minimal use of unrestricted input fields – especially those that have the potential to store personal data.
• The handling of error messages, including clear communication of error codes.

Transactional services that facilitate the flow of privacy data between the organisation and a third party organisation, or partner organisation, should:

1. Establish a suitable level of trust between organisational identities.
2. Include mechanisms that check for trust between established identities (e.g. hashing and digital signatures).
3. Outline robust procedures that govern what employees are able to manage key transactional documents.
4. Contain document and transactional management procedures that cover the confidentiality, integrity, proof of dispatch and receipt of key documents and transactions.
5. Include specific guidance on how to keep transactions confidential.

For any applications that involve electronic ordering and/or payment, organisations should:

• Outline strict requirements for the protection of payment and ordering data.
• Verify payment information before an order is placed.
• Securely store transactional and privacy-related data in a way that is inaccessible to the public.
• Use trusted authorities when implementing digital signatures, with privacy protection in mind at all times.

Supporting ISO 27002 Controls

• ISO 27002 5.17
• ISO 27002 8.2
• ISO 27002 8.5

ISO 27701 Clause 6.12.1.2 (Addressing Security Within Supplier Agreements) and EU GDPR Article 32 (1)(b)

When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.

In doing so, organisations should:

• Offer a clear description that details the privacy information that needs to be accessed, and how that information is going to be accessed.
• Classify the privacy information to be accessed in accordance with an accepted classification scheme (see ISO 27002 Controls 5.10, 5.12 and 5.13).
• Give adequate consideration to the suppliers own classification scheme.
• Categorise rights into four main areas – legal, statutory, regulatory and contractual – with a detailed description of obligations per area.
• Ensure that each party is obligated to enact a series of controls that monitor, assess and manage privacy information security risk levels.
• Outline the need for supplier personnel to adhere to an organisation’s information security standards (see ISO 27002 Control 5.20).
• Facilitate a clear understanding of what constitutes both acceptable and unacceptable use of privacy information, and physical and virtual assets from either party.
• Enact authorisation controls that are required for supplier-side personnel to access or view an organisation’s privacy information.
• Give consideration to what occurs in the event of a breach of contract, or any failure to adhere to individual stipulations.
• Outline an Incident Management procedure, including how major events are communicated.
• Ensure that personnel are given security awareness training.
• (If the supplier is permitted to use subcontractors) add in requirements to ensure that subcontractors are aligned with the same set of privacy information security standards as the supplier.
• Consider how supplier personnel are screened prior to interacting with privacy information.
• Stipulate the need for third-party attestations that address the supplier’s ability to fulfil organisational privacy information security requirements.
• Have the contractual right to audit a supplier’s procedures.
• Require suppliers to deliver reports that detail the effectiveness of their own processes and procedures.
• Focus on taking steps to affect the timely and thorough resolution of any defects or conflicts.
• Ensure that suppliers operate with an adequate BUDR policy, to protect the integrity and availability of PII and privacy-related assets.
• Require a supplier-side change management policy that informs the organisation of any changes that have the potential to impact privacy protection.
• Implement physical security controls that are proportional to the sensitivity of the data being stored and processed.
• (Where data is to be transferred) ask suppliers to ensure that data and assets are protected from loss, damage or corruption.
• Outline a list of actions to be taken by either party in the event of termination.
• Ask the supplier to outline how they intends to destroy privacy information following termination, or of the data is no longer required.
• Take steps to ensure minimal business interruption during a handover period.

Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.

Supporting ISO 27002 Controls

• ISO 27002 5.10
• ISO 27002 5.12
• ISO 27002 5.13
• ISO 27002 5.20

ISO 27701 Clause 6.15.2.1 (Independent Review of Information Security) and EU GDPR Article 32

In this section we talk about GDPR Articles 32 (1)(b), 32 (1)(d), 32 (2)

Organisations should develop processes that cater for independent reviews of their privacy information security practices, including both topic-specific policies and general policies.

Reviews should be conducted by:

• Internal auditors.
• Independent departmental managers.
• Specialised third-party organisations.

Reviews should be independent and carried out by individuals with sufficient knowledge of privacy protection guidelines and the organisations own procedures.

Reviewers should establish whether privacy information security practices are compliant with the organisation’s “documented objectives and requirements”.

As well as structured periodic reviews, organisations may come across the need to conduct ad-hoc reviews that are triggered by certain events, including:

• Following amendments to internal policies, laws, guidelines and regulations which affect privacy protection.
• After major incidents that have impacted upon privacy protection.
• Whenever a new business is created, or major changes are enacted to the current business.
• Following the adoption of a new product or service that deals with privacy protection in any way.

ISO 27701 Clause 6.15.2.3 (Technical Compliance Review) and EU GDPR Articles 32 (1)(d) and (32)(2)

Organisations need to ensure that personnel are able to review privacy policies across the full spectrum of business operations.

Management should develop technical methods of reporting on privacy compliance (including automation and bespoke tools). Reports should be recorded, stored and analysed to further improve PII security and privacy protection efforts.

Where compliance issues are discovered, organisations should:

• Establish the cause.
• Decide upon a method of corrective action to plug and compliance gaps.
• Revisit the issue after an appropriate period of time, to ensure the problem is resolved.

It is vitally important to enact corrective measures as soon as possible. If issues aren’t fully resolved by the time of the next review, at a minimum, evidence should be provided to show that progress is being made.

ISO 27701 Clause 6.5.2.1 (Classification of Information) and EU GDPR Article (32)(2)

Rather than put all information held on an equal footing, organisation’s should classify information on a topic-specific basis.

Information owners should consider four key factors, when classifying data (especially regarding PII), which should be reviewed periodically, or when such factors change:

1. The confidentiality of the data.
2. The integrity of the data.
3. Data availability levels.
4. The organisation’s legal obligations towards PII.

To provide a clear operational framework, information categories should be named in accordance with the inherent risk level, should any incidents occur that compromise any of the above factors.

To ensure cross-platform compatibility, organisations should make their information categories available to any external personnel who they share information with, and ensure that the organisation’s own classification scheme is widely understood by all relevant parties.

Organisation’s should be wary of either under-classifying or, conversely, over-classifying data. The former can lead to mistakes in grouping PII in with less-sensitive data types, whilst the former often leads to added expense, a greater chance of human error and processing anomalies.

ISO 27701 Clause 6.5.3.1 (Management of Removable Media) and EU GDPR Article 32 (1)(a)

When developing policies that govern the handling of media assets involved in storing PII, organisations should:

• Develop unique topic-specific policies based upon departmental or job-based requirements.
• Ensure that proper authorisation is sought and granted, before personnel are able to remove storage media from the network (including keeping an accurate and up-to-date record of such activities).
• Store media in accordance with the manufacturers specifications, free from any environmental damage.
• Consider using encryption as a prerequisite to access, or where this isn’t possible, implementing additional physical security measures.
• Minimise the risk of PII becoming corrupted by transferring information between storage media, as is required.
• Introduce PII redundancy by storing protected information on multiple assets at the same time.
• Only authorise the use of storage media on approved inputs (i.e. SD cards and USB ports), on an asset-by-asset basis.
• Closely monitor the transfer of PII onto storage media, for any purpose.
• Take into consideration the risks inherent within the physical transfer of storage media (and by proxy, the PII contained on it), when moving assets between personnel or premises (see ISO 27002 Control 5.14).

When re-purposing, re-using or disposing of storage media, robust procedures should be put in place to ensure that PII is not affected in any way, including:

• Formatting the storage media, and ensuring that all PII is removed before re-use (see ISO 27002 Control 8.10), including maintaining adequate documentation of all such activities.
• Securely disposing of any media that the organisation has no further use for, and has been used to store PII.
• If disposal requires involvement of a third-party, organisation’s should take great care to ensure they are a fit and proper partner to perform such duties, in-line with the organisation’s responsibility towards PII and privacy protection.
• Implementing procedures that identify which storage media are available for re-use, or can be disposed of accordingly.

If devices that have been used to store PII become damaged, organisation’s should carefully consider whether or not it is more appropriate to destroy such media, or send it for repair (erring on the side of the former).

ISO warns organisations against using unencrypted storage devices for any PII-related activities.

Supporting ISO 27002 Controls

• ISO 27002 5.14

ISO 27701 Clause 6.5.3.3 (Physical Media Transfer) and EU GDPR Article 32 (1)(a)

See section above on ISO 27701 Clause 6.5.3.1

Additional Information

If media is to be disposed of that previously held PII, organisations should implement procedures that document the destruction of PII and privacy-related data, including categorical assurances that it is no longer available.

Supporting ISO 27002 Controls

• ISO 27002 5.14

ISO 27701 Clause 6.7.1.1 (Policy on the Use of Cryptographic Controls) and EU GDPR Article 32 (1)(a)

Organisations should use encryption to protect the confidentiality, authenticity and integrity of PII and privacy-related information, and to adhere to their various contractual, legal or regulatory obligations.

Encryption is a far-reaching concept – there is no ‘one size fits all’ approach. Organisations should assess their needs and choose a cryptographic solution that meets their unique commercial and operational objectives.

Organisations should consider:

• Develop a topic-specific approach to cryptography, that takes into account various departmental, role-based and operational requirements.
• The appropriate level of protection (along with the type of information to be encrypted).
• Mobile devices and storage media.
• Cryptographic key management (storage, processing etc.).
• Specialised roles and responsibilities for cryptographic functions, including implementation and and key management (see ISO 27002 Control 8.24).
• The technical encryption standards that are to be adopted, including algorithms, cipher strength, best practice guidelines.
• How encryption will work alongside other cyber security efforts, such as malware protection and gateway security.
• Cross-border and cross-jurisdictional laws and guidelines (see ISO 27002 Control 5.31).
• Contracts with third-party cryptography partners that cover all or part liability, reliability and response times.

Key Management

Key management procedures should be spread out over 7 main functions:

1. Generation.
2. Storage.
3. Archiving.
4. Retrieval.
5. Distribution.
6. Retiring.
7. Destruction.

Organisational key management systems should:

• Manage key generation for all encryption methods.
• Implement public key certificates.
• Ensure that all all relevant human and non-human entities are issued with the requisite keys.
• Store keys.
• Amend keys, as required.
• Have procedures in place to deal with potentially compromised keys.
• Decommission keys, or revoke access on a user-by-user basis.
• Recover lost or malfunctioning keys, either from backups and key archives.
• Destroy keys that are no longer required.
• Manage the activation and deactivation lifecycle, so that certain keys are only available for the period of time that they are needed.
• Process official requests for access, from law enforcement agencies or, in certain circumstances, regulatory agencies.
• Contain access controls that protect physical access to keys and encrypted information.
• Consider the authenticity of public keys, prior to implementation (certificate authorities and public certificates).

Supporting ISO 27002 Controls

• ISO 27002 5.31
• ISO 27002 8.24

ISO 27701 Clause 6.9.3.1 (Information Backup) and EU GDPR Article 32 (1)(c)

Organisations should draft topic-specific policies that directly address how the organisation backs up the relevant areas of its network in order to safeguard PII and improve resilience against privacy-related incidents.

BUDR procedures should be drafted to achieve the primary goal of ensuring that all business critical data, software and systems are able to be recovered following data loss, intrusion, business interruption and critical failures.

As a priority, BUDR plans should:

• Outline restoration procedures that cover all critical systems and services.
• Be able to produce workable copies of any systems, data or applications that are part of a backup job.
• Serve the commercial and operational requirements of the organisation (see ISO 27002 Control 5.30).
• Store backups in an environmentally protected location that is physically separate from the source data (see ISO 27002 Control 8.1).
• Regularly test and appraise backup jobs against the organisations mandated recovery times, in order to guarantee data availability.
• Encrypt all PII-related backup data.
• Double-check for any data loss before executing a backup job.
• Adhere to a reporting system that alerts staff to the status of backup jobs.
• Seek to incorporate data from cloud-based platforms that are not directly managed by the organisation, in internal backup jobs.
• Store backups in accordance with an appropriate PII retention policy (see ISO 27002 Control 8.10).

Organisations need to develop separate procedures that deal solely with PII (albeit contained within their main BUDR plan).

Regional variances in PII BUDR standards (contractual, legal and regulatory) should be taken into consideration whenever a new job is created, jobs are amended or new PII data is added to the BUDR routine.

Whenever the need arises to restore PII following a BUDR incident, organisations should take great care to return the PII to its original state, and review restore activities to resolve any issues with the new data.

Organisations should keep a log of restoration activity, including any personnel involved in the restore, and a description of the PII that’s been restored.

Organisations should check with any law-making or regulatory agencies and ensure that their PII restorations procedures are in alignment with what’s expected of them as a PII processor and controller.

Supporting ISO 27002 Controls

• ISO 27002 5.30
• ISO 27002 8.1
• ISO 27002 8.10

ISO 27701 Clause 7.2.1 (Identify and Document Purpose) and EU GDPR Article 32 (4)

Organisations need to first identify and then record the specific reasons for processing the PII that they use.

PII principals need to be fully conversant with all the various reasons as to why their PII is being processed.

It’s the responsibility of the organisation to convey these reasons to PII principals, along with a ‘clear statement’ on why they need to process their information.

All documentation needs to be clear, comprehensive and easily understood by any PII principal that reads it – including anything relating to consent, as well as copies of internal procedures (see ISO 27701 Clauses 7.2.3, 7.3.2 and 7.2.8).

Supporting ISO 27701 Controls

• ISO 27701 7.2.3
• ISO 27701 7.3.2
• ISO 27701 7.2.8

ISO 27701 Clause 7.4.5 (PII De-identification and Deletion at the End of Processing) and EU GDPR Article 32 (1)(a)

Organisations either need to completely destroy any PII that no longer fulfils a purpose, or modify it in a way that prevents any form of principal identification.

As soon as the organisation establishes that PII doesn’t need to be processed at any time in the future, the information should be deleted or de-identified, as the circumstances dictate.

ISO 27701 Clause 8.2.2 (Organizational Purposes) and EU GDPR Article 32 (4)

From the outset, PII should only ever be processed in accordance with the customer’s instructions.

Contracts should include SLAs relating to mutual objectives, and any associated time scales that they need to be completed within.

Organisations should acknowledge their right to choose the distinct methods that are used to process PII, that lawfully achieve what the customer is looking for, but without the need to obtain granular permissions on how the organisation goes about it on a technical level.

Supporting ISO 27701 Clauses and ISO 27002 Controls

How ISMS.online Helps

The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to demonstrate your approach to GDPR is substantially reduced. You WILL benefit from a range of powerful time-saving features.

ISMS.online also makes it easy for you to jump straight into your journey to GDPR compliance and to easily demonstrate level of protection that goes beyond ‘reasonable’, all in one secure, always-on location.

Find out more by booking a short 30 minute demo.