It is vital to review your data processing procedures to ensure GDPR compliance. You must have a legal basis for processing data and be able to provide your supervisory authority with proof. Document everything you do. Consider information security frameworks like Cyber Essentials.
Data security plays a prominent role in the new GDPR, reflecting its symbiotic relationship with modern comprehensive privacy regimes. The GDPR imposes stricter obligations on data processors and controllers regarding data security, while simultaneously offering more guidance on appropriate security standards. The GDPR also adopts the first-time specific breach notification guidelines.
Unlike the Directive, however, the GDPR provides specific suggestions for the kinds of security actions that might be considered “appropriate to the risk,” including:
The pseudonymisation and encryption of personal data.
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Controllers and processors that adhere to either an approved code of conduct or an approved certification mechanism (e.g. ISO27001, NIST, CIS, Cyber Essentials) — as described in Article 40 and Article 42 — may use these tools to demonstrate compliance with the GDPR’s security standards.