kirkpatrickprice
GDPR Fundamentals: Organizational Controls
Learn more at kirkpatrickprice.com/video/gdpr-fundamentals-data-securit...
Every organization subject to GDPR will require some specific organizational controls. Although the specifics of the controls may differ from one organization to another, every organization should have elements of the following organizational controls.
Information Security Policy – No matter what kind of processing activity an organization engages in, what the organization’s role is (controller or a processor), or whether the organization processes special categories of personal data, every organization should have a documented information security policy that establishes the standards, enforcement, and monitoring of information security protocols. This information security policy should be reviewed periodically, approved by a responsible party, distributed to all employees within the organization, and be tested after incidents and industry changes to ensure that the policy is current and up-to-date.
GDPR Training – Organizations need to implement a GDPR training program which supplements any existing information security program. This training should explain to employees the requirements of GDPR and how they coordinate with their organization’s existing information security standards. New or different security requirements, whether that relates to international data transfers, data access, data use, safeguards, or transparency, should be clearly communicated to employees and compared to other information security requirements to help them understand the requirement.
Business Continuity Plan – GDPR requires organizations to maintain the integrity and accessibility of data. How can they do that? One way is through Business Continuity Plans, so that in the event of an environmental or man-made disaster, data is available and unchanged. Business Continuity Plans should be monitored periodically, tested, and distributed amongst the organization.
Mobile Device Policy – A critical technical control is regulating how mobile devices access, store, and transmit personal data. Cell phones, tablets, laptops, or other removable storage are subject to GDPR. For example, if an organization processes special categories of data, then there should be severe restrictions around the ability to access that data on mobile devices. Organizations should also have a clear policy on whether employees are allowed to bring and use their own devices (BYOD). If they are, what configuration standards should be established for those devices?
Logical Access Restrictions – Another critical technical control for organizations subject to GDPR are controls related to logical access. Who has access to what data? What personal data is stored on what systems and in which locations? Can individuals access that data remotely? What authorization do individuals need to obtain before they can access personal data? Can indivudals transmit data to third parties? An organization’s logical access considerations should extend beyond just the organization but also to vendors and third parties.
Data Mapping – Although data mapping isn’t explicitly required by GDPR, we find it difficult to determine access controls, device controls, and information security policies without a full picture of the kind of personal data that an organization processes, where those data elements go, how the data elements are received, and how those data elements are stored. Any effective data mapping tool will allow an organization to track data from an entry point, an internal storage point, an internal access point, and any external transmission points.
GDPR Fundamentals: Organizational Controls
Learn more at kirkpatrickprice.com/video/gdpr-fundamentals-data-securit...
Every organization subject to GDPR will require some specific organizational controls. Although the specifics of the controls may differ from one organization to another, every organization should have elements of the following organizational controls.
Information Security Policy – No matter what kind of processing activity an organization engages in, what the organization’s role is (controller or a processor), or whether the organization processes special categories of personal data, every organization should have a documented information security policy that establishes the standards, enforcement, and monitoring of information security protocols. This information security policy should be reviewed periodically, approved by a responsible party, distributed to all employees within the organization, and be tested after incidents and industry changes to ensure that the policy is current and up-to-date.
GDPR Training – Organizations need to implement a GDPR training program which supplements any existing information security program. This training should explain to employees the requirements of GDPR and how they coordinate with their organization’s existing information security standards. New or different security requirements, whether that relates to international data transfers, data access, data use, safeguards, or transparency, should be clearly communicated to employees and compared to other information security requirements to help them understand the requirement.
Business Continuity Plan – GDPR requires organizations to maintain the integrity and accessibility of data. How can they do that? One way is through Business Continuity Plans, so that in the event of an environmental or man-made disaster, data is available and unchanged. Business Continuity Plans should be monitored periodically, tested, and distributed amongst the organization.
Mobile Device Policy – A critical technical control is regulating how mobile devices access, store, and transmit personal data. Cell phones, tablets, laptops, or other removable storage are subject to GDPR. For example, if an organization processes special categories of data, then there should be severe restrictions around the ability to access that data on mobile devices. Organizations should also have a clear policy on whether employees are allowed to bring and use their own devices (BYOD). If they are, what configuration standards should be established for those devices?
Logical Access Restrictions – Another critical technical control for organizations subject to GDPR are controls related to logical access. Who has access to what data? What personal data is stored on what systems and in which locations? Can individuals access that data remotely? What authorization do individuals need to obtain before they can access personal data? Can indivudals transmit data to third parties? An organization’s logical access considerations should extend beyond just the organization but also to vendors and third parties.
Data Mapping – Although data mapping isn’t explicitly required by GDPR, we find it difficult to determine access controls, device controls, and information security policies without a full picture of the kind of personal data that an organization processes, where those data elements go, how the data elements are received, and how those data elements are stored. Any effective data mapping tool will allow an organization to track data from an entry point, an internal storage point, an internal access point, and any external transmission points.