kirkpatrickprice
GDPR Fundamentals: Data Security Requirements
Learn more at kirkpatrickprice.com/video/gdpr-fundamentals-data-securit...
While GDPR is primarily a data privacy law, it also includes elements of data security. But of course, GDPR is ambiguous so it’s not very prescriptive when it comes to data security requirements for processing personal data. The law requires each organization to evaluate its own data security based risk, processing activities, and its organizational structure. By putting this in the hands of the organization, the organization can determine what’s an appropriate control. organizations are also allowed to consider the ability and resources of an organization to implement a control. Just because a control is a possibility for mitigating risk doesn’t mean that it’s an appropriate control. What’s appropriate for one organization may be too expensive, impractical, or not secure enough for another organization. Appropriate organizational and technical data security controls include risk assessments, encryption, pseudonymization, and documented policies of things like business continuity, physical security, logical access, configuration management, human resources, and management oversight.
There should also be a process to monitor and test the effectiveness of data security controls, which is where internal and third-party auditing comes into play. These will serve as an effective way of demonstrating that thought and objectivity has been considered when it comes to what is appropriate for an organization. There have been unofficial attempts to map GDPR requirements to other information security frameworks, but they may be incomplete with respect to data security and privacy elements.
GDPR Fundamentals: Data Security Requirements
Learn more at kirkpatrickprice.com/video/gdpr-fundamentals-data-securit...
While GDPR is primarily a data privacy law, it also includes elements of data security. But of course, GDPR is ambiguous so it’s not very prescriptive when it comes to data security requirements for processing personal data. The law requires each organization to evaluate its own data security based risk, processing activities, and its organizational structure. By putting this in the hands of the organization, the organization can determine what’s an appropriate control. organizations are also allowed to consider the ability and resources of an organization to implement a control. Just because a control is a possibility for mitigating risk doesn’t mean that it’s an appropriate control. What’s appropriate for one organization may be too expensive, impractical, or not secure enough for another organization. Appropriate organizational and technical data security controls include risk assessments, encryption, pseudonymization, and documented policies of things like business continuity, physical security, logical access, configuration management, human resources, and management oversight.
There should also be a process to monitor and test the effectiveness of data security controls, which is where internal and third-party auditing comes into play. These will serve as an effective way of demonstrating that thought and objectivity has been considered when it comes to what is appropriate for an organization. There have been unofficial attempts to map GDPR requirements to other information security frameworks, but they may be incomplete with respect to data security and privacy elements.