GDPR Article 32 states the need for organisations to implement various measures that achieve an adequate level of security across their data processing operation.
To achieve this, organisations need to take into account:
Security of processing
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- The pseudonymisation and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
- The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
Security of processing
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- The pseudonymisation and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
- The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by domestic law.
Since migrating we’ve been able to reduce the time spent on administration.
GDPR Article 32 asks organisations to take a risk-based approach to data processing that takes into consideration several key variables:
Organisations need to undergo a mapping exercise that lists both internal and external factors relating to the implementation of a PIMS.
The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.
Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.
This includes:
ISO recommends a thorough scoping exercise, so that organisations are able to produce a PIMS that first meets its privacy protection requirements, and secondly does not creep into areas of the business that aren’t in need of attention.
Organisations should establish and document:
All scoping exercises that map out a PIMS implementation should include a thorough assessment of PII processing and storage activities.
Organisations should seek to implement, manage and optimise a Privacy Information Management System (PIMS), in-line with published ISO standards.
Organisations should map out and implement a privacy protection risk assessment process that:
Book a tailored hands-on session
based on your needs and goals
Book your demo
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
Organisations should draft and implement a privacy protection/PII ‘risk treatment process’ that:
Application security procedures should be developed alongside broader privacy protection policies, usually via a structured risk assessment that takes into account multiple variables.
Application security requirements should include:
Transactional services that facilitate the flow of privacy data between the organisation and a third party organisation, or partner organisation, should:
For any applications that involve electronic ordering and/or payment, organisations should:
When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.
In doing so, organisations should:
Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.
In this section we talk about GDPR Articles 32 (1)(b), 32 (1)(d), 32 (2)
Organisations should develop processes that cater for independent reviews of their privacy information security practices, including both topic-specific policies and general policies.
Reviews should be conducted by:
Reviews should be independent and carried out by individuals with sufficient knowledge of privacy protection guidelines and the organisations own procedures.
Reviewers should establish whether privacy information security practices are compliant with the organisation’s “documented objectives and requirements”.
As well as structured periodic reviews, organisations may come across the need to conduct ad-hoc reviews that are triggered by certain events, including:
Organisations need to ensure that personnel are able to review privacy policies across the full spectrum of business operations.
Management should develop technical methods of reporting on privacy compliance (including automation and bespoke tools). Reports should be recorded, stored and analysed to further improve PII security and privacy protection efforts.
Where compliance issues are discovered, organisations should:
It is vitally important to enact corrective measures as soon as possible. If issues aren’t fully resolved by the time of the next review, at a minimum, evidence should be provided to show that progress is being made.
Rather than put all information held on an equal footing, organisation’s should classify information on a topic-specific basis.
Information owners should consider four key factors, when classifying data (especially regarding PII), which should be reviewed periodically, or when such factors change:
To provide a clear operational framework, information categories should be named in accordance with the inherent risk level, should any incidents occur that compromise any of the above factors.
To ensure cross-platform compatibility, organisations should make their information categories available to any external personnel who they share information with, and ensure that the organisation’s own classification scheme is widely understood by all relevant parties.
Organisation’s should be wary of either under-classifying or, conversely, over-classifying data. The former can lead to mistakes in grouping PII in with less-sensitive data types, whilst the former often leads to added expense, a greater chance of human error and processing anomalies.
When developing policies that govern the handling of media assets involved in storing PII, organisations should:
When re-purposing, re-using or disposing of storage media, robust procedures should be put in place to ensure that PII is not affected in any way, including:
If devices that have been used to store PII become damaged, organisation’s should carefully consider whether or not it is more appropriate to destroy such media, or send it for repair (erring on the side of the former).
ISO warns organisations against using unencrypted storage devices for any PII-related activities.
I certainly would recommend ISMS.online, it makes setting up and managing your ISMS as easy as it can get.
See section above on ISO 27701 Clause 6.5.3.1
If media is to be disposed of that previously held PII, organisations should implement procedures that document the destruction of PII and privacy-related data, including categorical assurances that it is no longer available.
Organisations should use encryption to protect the confidentiality, authenticity and integrity of PII and privacy-related information, and to adhere to their various contractual, legal or regulatory obligations.
Encryption is a far-reaching concept – there is no ‘one size fits all’ approach. Organisations should assess their needs and choose a cryptographic solution that meets their unique commercial and operational objectives.
Organisations should consider:
Key management procedures should be spread out over 7 main functions:
Organisational key management systems should:
Organisations should draft topic-specific policies that directly address how the organisation backs up the relevant areas of its network in order to safeguard PII and improve resilience against privacy-related incidents.
BUDR procedures should be drafted to achieve the primary goal of ensuring that all business critical data, software and systems are able to be recovered following data loss, intrusion, business interruption and critical failures.
As a priority, BUDR plans should:
Organisations need to develop separate procedures that deal solely with PII (albeit contained within their main BUDR plan).
Regional variances in PII BUDR standards (contractual, legal and regulatory) should be taken into consideration whenever a new job is created, jobs are amended or new PII data is added to the BUDR routine.
Whenever the need arises to restore PII following a BUDR incident, organisations should take great care to return the PII to its original state, and review restore activities to resolve any issues with the new data.
Organisations should keep a log of restoration activity, including any personnel involved in the restore, and a description of the PII that’s been restored.
Organisations should check with any law-making or regulatory agencies and ensure that their PII restorations procedures are in alignment with what’s expected of them as a PII processor and controller.
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.
Organisations need to first identify and then record the specific reasons for processing the PII that they use.
PII principals need to be fully conversant with all the various reasons as to why their PII is being processed.
It’s the responsibility of the organisation to convey these reasons to PII principals, along with a ‘clear statement’ on why they need to process their information.
All documentation needs to be clear, comprehensive and easily understood by any PII principal that reads it – including anything relating to consent, as well as copies of internal procedures (see ISO 27701 Clauses 7.2.3, 7.3.2 and 7.2.8).
Organisations either need to completely destroy any PII that no longer fulfils a purpose, or modify it in a way that prevents any form of principal identification.
As soon as the organisation establishes that PII doesn’t need to be processed at any time in the future, the information should be deleted or de-identified, as the circumstances dictate.
From the outset, PII should only ever be processed in accordance with the customer’s instructions.
Contracts should include SLAs relating to mutual objectives, and any associated time scales that they need to be completed within.
Organisations should acknowledge their right to choose the distinct methods that are used to process PII, that lawfully achieve what the customer is looking for, but without the need to obtain granular permissions on how the organisation goes about it on a technical level.
GDPR Article | ISO 27701 Clause | ISO 27002 Controls |
---|---|---|
EU GDPR Article 32 (3) | 5.2.1 | None |
EU GDPR Article 32 (2) | 5.2.3 | None |
EU GDPR Article 32 (2) | 5.2.4 | None |
EU GDPR Articles 32 (1)(b) and 32 (2) | 5.4.1.2 | None |
EU GDPR Article 32 (1)(b) | 5.4.1.3 | None |
EU GDPR Article 32 (1)(a) | 6.11.1.2 | 5.17 8.2 8.5 |
EU GDPR Articles 32 (1)(b) and 32 (2) | 6.12.1.2 | 5.10 5.12 5.13 5.20 |
EU GDPR Articles 32 (1)(b), 32 (1)(d) and 32 (2) | 6.15.2.1 | None |
EU GDPR Articles 32 (1)(d) and (32)(2) | 6.15.2.3 | None |
EU GDPR Article 32 (2) | 6.5.2.1 | None |
EU GDPR Article 32 (1)(a) | 6.5.3.1 | 5.14 |
EU GDPR Article 32 (1)(a) | 6.5.3.3 | 5.14 |
EU GDPR Article 32 (1)(a) | 6.7.1.1 | 5.31 8.24 |
EU GDPR Article 32 (1)(c) | 6.9.3.1 | 5.30 8.1 8.10 |
EU GDPR Article 32 (4) | 7.2.1 7.2.3 7.3.2 7.2.8 | None |
EU GDPR Article 32 (1)(a) | 7.4.5 | None |
EU GDPR Article 32 (4) | 8.2.2 | None |
The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to demonstrate your approach to GDPR is substantially reduced. You WILL benefit from a range of powerful time-saving features.
ISMS.online also makes it easy for you to jump straight into your journey to GDPR compliance and to easily demonstrate level of protection that goes beyond ‘reasonable’, all in one secure, always-on location.
Find out more by booking a short 30 minute demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo