GDPR Security Checklist

Meeting the requirements of the General Data Protection Regulation (GDPR) can be a major challenge. To help ease the stress of compliance, and ensure all aspects of data security are covered, we have produced a GDPR security checklist.

Complying with GDPR is not optional. There are severe penalties for noncompliance. A fine of up to €20,000,000 can be issued, or 4% of global annual turnover, whichever is the greater.

For most companies, complying with GDPR will involve a considerable amount of work, so it is essential to start your compliance program and assessments as soon as possible.

Complying with GDPR may require new security solutions to be implemented to ensure the confidentiality, integrity, and availability of personal data, although technology alone is not the solution. Policies and procedures must be developed, and employees must be trained how to handle data correctly. GDPR requires a combination of technology, processes, procedures, and people all working together to ensure the privacy of personal data is assured and the data rights of EU citizens are protected.

GDPR Security Checklist

Our GDPR security checklist contains a list of essential requirements of GDPR. Use our GDPR security checklist to make sure you have satisfied the requirements of GDPR or as a guide when developing your compliance program.

Conduct a Data Audit

To ensure the security of personal data an organization must first know all locations where personal data is stored, processed, or transmitted. Unless organizations have a clear view of every system and application that is used in connection with personal data, it will not be possible to ensure appropriate safeguards are implemented to protect privacy and neither to ensure all personal data is erased if EU citizens exercise their right to be forgotten.

Your audit should include all individuals who are accessing internal files and folders and you should assess the actions they perform. You should be aware who has access to SQL server databases and the queries that are being run, and be aware of all applications that use, store, process, or transmit personal data. You must identify all devices on the network with data access, including personally owned mobile devices under a BYOD scheme.

You must maintain a list of all personal information you hold, where that information has come from, what you do with the data, and how long it will be kept.

After identifying all internal servers, endpoints, devices, and applications you need to make sure that service partners are also audited. Any provider whose products and services require contact with personal data must also comply with GDPR requirements. That includes all SaaS and cloud storage providers.

Implement Reasonable Data Security Protections

Article 32 of GDPR requires reasonable and appropriate data security measures to be implemented. Those measures should be appropriate to the level of risk. That means a controller or processor must conduct a risk analysis to assess risks. Any risk identified through the risk analysis must be managed and reduced to a reasonable level. Risks should be prioritized based on their impact to the organization and to the rights and freedoms of data subjects.

Article 32 suggests some ways that risks can be reduced and the types of security protections that should be considered, such as encryption and pseudonymization. However, it is the responsibility of each organization to ensure appropriate technical controls are implemented. The exact technologies to use is left to the discretion of the data controller or data processor.

Ensure Access Controls are Configured Correctly

Access to personal data should be limited to individuals who require data to perform work duties and limited to the minimum necessary amount to achieve those purposes. Effective access controls will reduce the potential for insider breaches, and limit the harm caused if credentials are stolen. If access to personal data is not required, access should not be possible.

Further, measures should be implemented to limit the potential for unauthorized access, such as enforcing the use of strong passwords and implementing multi-factor authentication.

Ensure Activity Logs are Created, Maintained, and Monitored

You must ensure that activity and system event logs are created. You should implement policies, procedures, and technical solutions to monitor users’ behavior for signs of unauthorized data access. Logs should be monitored for suspicious network and account activity.

Implement a Real Time Detection and Response Solution

Protecting against cyber attacks and unauthorized access is essential, but it is not reasonable to expect all attempts to access data to be prevented. You should secure your servers and endpoints with a solution that can detect data breaches and intrusions in real time, and automatically respond and terminate services or device access. A Security Information and Event Management (SIEM) tool can improve your detection and response time.

Ensure Regular Security Scanning Takes Place

Patches must be applied promptly, operating systems must be kept up to date, and regular vulnerabilities scans should be conducted. When security vulnerabilities are discovered they should be addressed through an effective risk management process. Consider running external penetration tests to check for any chinks in defenses that could be exploited by threat actors to gain access to systems and data.

Conduct Data Protection Impact Assessments

A data protection impact assessment is a process that helps you identify and minimize data protection risks. Certain types of processing that involve a high risk to data subjects’ rights and freedoms must be subjected to a DPIA. The DPIA must describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.

Develop Data Breach Notification Policies and Procedures

Article 32 requires data controllers to restore availability and access to personal data in a timely manner following a physical or technical security incident. Unless an incident response plan is developed in advance and all individuals involved in the breach response are aware of their responsibilities, A rapid response will be difficult.

Data controllers and data processors are also required to report data breaches within 72 hours of discovery. Policies and procedures should be developed to ensure notifications are issued ahead of the deadline.

Train all Employees on their Responsibilities and Provide Security Awareness Training

It is the responsibility of the data controller or data processor to ensure that all employees are aware of their responsibilities under GDPR and know how to handle data securely. In addition to providing training on GDPR, employees should receive security awareness training and be made aware of the risks to the confidentiality, integrity, and availability of personal data. Teach security best practices and eradicate risky behaviors.

Regularly Review Policies, Procedures, and Safeguards

Policies and procedures can be developed and safeguards implemented to ensure compliance with the GDPR security requirements, but they may not ensure continued compliance. Business processes may change, technology will be updated, and individuals’ roles will likely change over time. To ensure continued compliance, all policies, procedures, and safeguards should be reviewed regularly and updated as necessary.