Checklist for securing integrity and confidentiality

The GDPR requires organizations have comprehensive policies and procedures ensuring personal data always remains within control of the organization. Additionally, personal data breaches must be reported within 72 hours to the competent supervisory authority appointed by their country’s government.

Take all appropriate organizational and technical measures to protect against compromising personal data.

What should you do?

  • Review security policies around password control and account use.
  • Consider setting minimum password strength requirements for all domain groups. Consider setting stronger requirements for administrative accounts on the domain level.
  • Have processes in place to audit protection status and detect breaches.
  • Ensure users do not share accounts, whether by sharing passwords or by not logging off/on at the end/start of their shift.
  • Maintain a documented policy and procedure governing appropriate actions in the event of data breach.
  • You must ensure that you have appropriate security measures in place to protect the personal data you hold.
  • A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organizational measures’ – this is the ‘security principle’.
  • Doing this requires you to consider things like risk analysis, organizational policies, and physical and technical measures.
  • You must also take into account additional requirements about the security of your processing – and these also apply to Data Processors.
  • You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
  • Where appropriate, you should look to use measures such as pseudonymization (for example, using privacy protection with a blurring mask), and encryption.
  • Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
  • The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
  • You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures and undertake any required improvements.