Article 32 GDPR calls for the implementation of “appropriate technical and organisational measures” to ensure a level of security is appropriate to the risk. How can an organisation achieve this?
Performing a risk assessment in central to determining what Information Security controls are appropriate to protect an organisations data. The first step in performing a risk assessment is to identify the assets to be protected. In the case of GDPR this information will be captured in the records of processing activities. This document will identify the systems on which the personal data resulting from a specific business activity is processed. Performing a risk assessment of the identified systems will ensure that the implemented controls are appropriate to the data processing risks resulting from these activities as required under GDPR.
To ensure that the implemented controls are appropriate to the risk we must commence by identifying the assets to be protected. In the case of GDPR this is achieved by developing a records of processing activities as required under Section 30 of the GDPR. Business functions process personal data for a variety of reasons from recruitment in HR to payroll in Finance. The simple act of processing personal data carries with it an inherent risk to the business. The level of risk is determined by the number of records and the sensitivity of the data involved. This processed data resides on various systems identified in the record of processing activities. The amalgamated inherent risk encountered as a result of each individual processing activity will determine the level of risk attributable to these systems. Suitable mitigating controls are then applied to the systems to protect the personal data processed. This will ensure that the controls selected are appropriate to the risk of processing and each mitigating control can be attributed to a specific processing activity.
Here’s how Ward Solutions can help you:
If you would like to know more about our GDPR services, e-mail us or call 1800 903 552 to discuss your unique requirements.