Cloud Technology & IT Security Specialists Ask a question 01223 901 900 Client Portal

GDPR – Best in Class Technical Measures

GDPR was introduced in May 2018 to protect personal data for EU residents. All organisations are encouraged to implement appropriate ‘best in class technical measures’ to secure and prevent data breaches.

The pandemic has changed the way we work, with more people working from home and moving around with company equipment. With personal data being moved around, as well as the ever-increasing rise in cyber-attacks, it’s time for a reminder of the GDPR requirements and the ‘best in class technical measures’. Cyber criminals are always innovating new ways to illegally obtain data and cause havoc. We hope this article will help you and better protect your systems and data.

Best in Class Technical Measures

GDPR RequirementWhat Security element it addressesBest in Class Technical Measures
Article 25 & 35 – Data protection impact assessment   Organisations should carry out a data protection impact assessment. The assessment should describe and expound upon the processes and operations. It should also include the security measures to protect personal data.  Security protection policies and processesCyber Essentials Scheme  

Cyber Essentials is a government backed scheme that has been designed to help organisations protect themselves against the most common attacks. It also portrays an organisations commitment to their cyber security.
Article 25 – Data protection by design and by default   An organisation must implement appropriate technical measures to safeguard their personal data.    Identity and access controlTwo-Factor Authentication  

2FA means there is a second layer of verification required which is based on something not easily duplicated. This would be unique or biometric. The NCSC have advised since 2018 that purely passwords are no longer good enough to protect against cybercrime. 2FA should be on all logins that access personal data.  
Article 25 & 32 – Security of processing   An organisation must ensure an appropriate level of security is implemented. This would include things such as encryption of personal data.  Data securityDevice Encryption  

Device encryption protects your data on a device from unauthorized access. If a device was lost with personal data, device encryption would mean that no one could read the data on the device without a key. This is a must have for any devices on the move.  
Article 32 – Security of processing   An organisation must ensure the ongoing integrity and resilience of the technical measures implemented to protect their own and clients personal data.  System securityConditional Access  

Conditional access is a set of policies that control which devices can access data sources. The configurations can be applied across all enrolled company devices and across the full Microsoft environment.  

Device Management  

To ensure the ongoing integrity and resilience of the technical measures implemented, organisations need to know all devices that are accessing all personal data. A device management solution would give this visibility and help with the regular checking of the effectiveness of the technical measures.  
GDPR Compliance   To remain compliant, all staff need to be aware of the organisations processes and security procedures concerned around handling personal data.      Staff awareness and trainingGDPR / Cyber Security Training  

Ultimately, your staff are your weakest link against cyber security…human error. Providing GDPR and/or Cyber Security training to your staff will be extremely beneficial to your organisation.
Article 32 – Security of processing   An organisation must be able to restore personal data, and restore access, in a timely manner.  Response and recovery planning3-2-1 Backup  

This is the most basic backup strategy which means you should have 3 copies of your data. The live data you work with, an onsite copy and an offsite copy. You would never be caught out with this structure and it will safeguard you business.  

Business Continuity Disaster Recovery  

Business Continuity and Disaster Recovery are vital for an organisation when a cyber disaster strikes! Business continuity provides you your plan to keep running during a disaster. Whereas Disaster Recovery restores your data access after a disaster.   Both will ensure your organisation can get back up and running and restore any lost data in a timely manner.  

Cambridge Support

Our experts have helped 1,000’s of companies over the decades. If you feel you need help with anything discussed in this article, please contact us today. Or call us on 01223 901 900 or email us at ask@cambridgesupport.com.