The General Data Protection Regulation [‘GDPR’] is concerned with the security of personal data. If you are processing personal data you are required to do so in a manner that ensures “appropriate” security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. This is known as ‘integrity and confidentiality’. Sadly the GDPR doesn’t tell you what security you should put in to place- this is down to you to decide.
Information is a wider than just personal data. It could be financial information, intellectual property, or research data. It is a key asset of many organisations. It needs to be adequately protected. The road to true information security starts by you carrying out an assessment of risk to sensitive or critical information assets -including personal data. There needs to be a consideration of the threats (both internal and external) to your information and any organisational vulnerabilities. The likelihood of a threat materialising and the impact on your business/ customers if that were to happen has to be assessed.
Bearing in mind the ‘risk appetite’ of the organisation measures then need to be put in to place to manage risks. Risks can be treated in various ways.
Some organisations prefer to put in place a formalised information security management system such as ISO 27001 others something less formal such as Cyber Essentials.
Either way DPA/OK can assist.
If an organisation uses a ‘Data Processor’ such as outsourced payroll or cloud storage it needs to satisfy itself that they can be trusted to protect any personal data given to them or to which they are allowed access to. DPA/OK can assist you with any ‘due diligence’ of such suppliers or in responding to any security questionnaires that you are asked to complete by a potential customer.
For further information please contact us.