IT Security Systems and Compliance with the General Data Protection Act

14 July 2021

IT Security Systems and Compliance with the General Data Protection Act


When the new rules for the General Data Protection Regulation (GDPR) effective on May 25th 2018, it became quite the hot topic with all businesses that hold personal data, some found the transition easy but a lot did not. Before writing this blog, we asked some colleagues and clients what was the first thing that came to mind when they heard ‘GDPR’. In response, some said, ‘not sure as it confuses me’ but others used words such as security, protection, data, personal information, change and Surveillance.

The penalty for non-compliance with GDPR is up to £17.5 million or 4% of annual global turnover – whichever is higher. The potential for substantial fines has vastly changed the way organisations approach their data protection and security practices. In terms of an organisation’s IT and cybersecurity, what are data protection controls that need to be in place from a security perspective to ensure GDPR IT and cybersecurity compliance?

 

Let's break it down below...

 

What is the General Data Protection Regulation?

Since the UK left the EU, GDPR has been incorporated into UK data protection law as the UK GDPR and in summary, UK GDPR is a regulation on data protection which applies to data subjects within the UK. UK GDPR gives control to UK data subjects regarding how their data is processed, stored, or transmitted. The effect of GDPR reaches to all corners of the globe, making this legislation applicable to organisations outside the EU.

Let’s look at some technical controls that are needed to ensure that you are compliant with GDPR

Identity and Access Management

Having the proper Identity and Access Management controls in place will help limit access to personal data for authorised employees. The two key principles in Identity and Access Management, separation of duties and least privilege, help ensure that employees have access only to information or systems applicable to their job function.

What does this mean in terms of GDPR? Only those who need access to personal information to perform their job have access. In this situation, privacy training should be available to those individuals to ensure that the intended purpose for the collection of personal data is maintained.

 

Data Loss Prevention

Relevant to GDPR, Data Loss Prevention helps prevent the loss of personal data.

Technical safeguards, such as a Data Loss Prevention tool, are critical in preventing a breach. According to GDPR, organisations, whether they are the controller or processor of personal information, are held liable for the loss of any personal data they collect. Incorporating Data Loss Prevention controls adds a layer of protection by restricting the transmission of personal data outside the network.

 

Encryption and Pseudonymisation

Pseudonymisation is a difficult to spell, and an even more difficult one to pronounce! The UK GDPR defines pseudonymisation as “…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”. This hard-to-say word may include field level encryption in databases, encryption of entire data stores at rest, as well as encryption for data in use and in transit.

Pseudonymisation is more advisory than a requirement but if an incident leading to a security breach occurs, investigators will consider if the organisation responsible for the breach has implemented these types of GDPR technical controls.

 

Third Party Risk Management

If an organisation entrusts the processing of personal data to a processor or sub-processor, and a breach occurs, who is liable?

The short answer is Liability for all parties!

Processers are bound by their instructions, but GDPR data compliance also obligates processors to have an active role in the protection of personal data. Regardless of instructions, the processor of personal data must follow GDPR and can be liable for any incidents associated with loss or unauthorised access to personal data. Any sub-processors also will need to comply with the GDPR based on each contractual relationship established between a processor and sub-processor.

As you can see, GDPR IT and cybersecurity compliance is just as important for third-party bodies as it is internally for an organisation if those third parties process, store, or transmit personal data.

 

Policy Management

Policy is the accountability part for the previous data security controls.

To be effective, policy must receive organisation wide buy in to manage and update data security controls in an always changing IT and cybersecurity environment. Organisational policy and training ensure policies are effectively communicated and understood by all parties.

If managed and followed accordingly, policy management is a foundation for compliance toward GDPR.

 

What to Take Away….

As explained, GDPR requirements are more than a box ticking exercise. If you process personal data, then you must make sure the correct controls are in place to ensure compliance.

Explore the security controls for data protection that you have in place to support GDPR requirements to ensure personal data is accounted for, protected, and processed correctly.

We at A Plus Security have been working with clients to ensure that they have the correct controls in place for there systems and we continually monitor changes and assist them in making sure that they are conformed and that they have comfort in their systems.

 

Do you need support aligning your business IT Security System with GDPR Requirements? Contact our experts here, to discuss this further or call us on 01702 293157.

What our
clients have to
say about us

A Plus provides an excellent return on investment, not just through the solution installed, but the general experience they offer from pre-install to post-install and right through to the maintenance of the system. We knew we had made the right decision with A Plus as they offered a comprehensive and detailed proposal and project plan. The skill level of their engineers was a pleasant surprise with their knowledge of IT and networks, as well as electronic security, which made dealing with our internal IT team very smooth. Apart from that, the fact we never had to chase them for anything was a very nice surprise!

International Group of Schools

We chose A-Plus Security to carry out the upgrade of our electronic security systems for our 9 colleges and they have far exceeded our expectations in their approach to the projects. We are a UK wide organisation where the planning and mobilising of these major project around term times is time critical and A Plus Security have been nothing short of fantastic in the communication, there design proposals, openness to last minute changes, pre and post-sales support and their management of 3rd party companies and IT services. We would highly recommend A Plus Security to any organisation who are looking to install or upgrade their systems.

Nationwide Groups of Colleges

A Plus Security exceeded all expectations, following a late award of the contract due to a different contractor pulling out. All fire and security works were completed when requested and signed off on finish, with no issues noted. We have continued working with A Plus on following projects and would fully recommend them.

Operations Manager of P&M Electrical