GDPR and ISO norms
The entry into force of the GDPR on May 25th, 2018, provides for the implementation of adequate technical and organizational measures – both when determining the means of data treatment (Privacy by design – Art. 25 GDPR) and at the time of processing itself – including, for example, data minimization (the latter must be guaranteed by default – Privacy by default – Art. 25 GDPR) and security of processing (Art. 32 GDPR).
The fear of having to pay large sums in case of regulation violations (up to 4% of annual turnover) is convincing managers to work to raise awareness on the issue of data security and, more importantly, is convincing companies to increase budgets to implement “technical and organizational measures” to protect information.
Article 32 of the GDPR prescribes as well, that the confidentiality, integrity, availability and resilience of the processing systems and services is guaranteed on a permanent basis.
To this effect, the culture of data security management brings with it the awareness of data as valuable economic asset:
• How will a manager make “good” decisions that bring value to his company if he has no data on which to base his predictions/decisions? (Availability, integrity).
• What consequences can unauthorized disclosure of data have in terms of economic damage, image, or breach of contractual obligations for a company? (Confidentiality).
The ISO/IEC 27001 standard (see also COBIT and NIST) provides a common framework, describing the key requirements to implement an effective information security management system, representing valuable assistance to ensure compliance with the GDPR. European managers can thus begin to become familiar with the concepts that underlie the most important security frameworks based on international best practices.
Data Mapping & Risk Assessment
Among the security concepts that the GDPR is contributing to spread is that an organization, to better manage its data, must possess, above all, awareness and certainty of which and how much data they own (data gathering/discovery). Therefore, their mapping is essential.
Once the mapping of tools, people, systems, databases, applications and procedures that help the company develop data processing is performed (in the GDPR this activity flows into the so-called register of treatment activities), it will be possible to assess the risks connected to their management (Risk Assessment – ISO 31000, 27005 – DPIA in the GDPR) and implement the appropriate security measures to defend the data assets of the organization.
The European Privacy Regulation also requires that, in assessing the appropriate level of security, special consideration be given to the risks presented by the processing that derive, in particular, from destruction, loss, modification, unauthorized disclosure or access, in an accidental or illegal manner to personal data transmitted, stored or otherwise processed* .
Also in this case, the ISO standard helps us by prescribing, among other things, the implementation for all data of the c.d. S.O.D. (Segregation of Duties), so that the tasks and areas of responsibility are well established and separated, reducing the possibilities of misuse, unauthorized modification, even unintentional, of information held by the organization.
This important objective of data governance can also be achieved using software c.d. of Identity Management, able to facilitate and at the same time control user access to critical applications and data, while protecting personal data from unauthorized access.
Data Breach/Security Incident
Another fundamental requirement demanded by both the GDPR and the ISO 27001 standard is the management of security incidents, the c.d. Data Breach. It is in fact required to implement a policy that guides the management of security incidents (violation of personal data in the GDPR) such that the incident is first contained, then analyzed in its severity, also to decide whether to communicate the violation as relates to contractual/legal obligations**.
After recording the incident and the answers put in place to remedy it, to also respond to the accountability requirement provided by the GDPR, an analysis must be carried out to evaluate whether to implement new security measures through the so-called Problem Management (ISO 27001, 20000).
Continuous improvement and Deming Cycle
Another important theme, which I want to mention here, pertaining to the maintenance of information security over time, is the c.d. “Continuous improvement” imposed by the ISO standards and that the GDPR indicates among the technical and organizational measures to be implemented: “a procedure to regularly test, verify and evaluate the effectiveness of technical and organizational measures to guarantee the security of the treatment”*.
The conceptual assumption of this requirement is c.d. The Deming cycle (or PDCA cycle, acronym of Plan-Do-Check-Act), a four-phase iterative management method used for the continuous control and improvement of processes.
The above mentioned are just some of the principles and requirements that inform the European standard on privacy and the security framework provided by the ISO standards that present various points of contact.