What you need to know about meeting GDPR information security requirements and how much it should cost you
Did you check if the security measures which are implemented in your business fit the GDPR checklist? if you said yes then you’re not being quite honest with yourself. GDPR does not specify a set of security requirements; It does however require you to be accountable and be able to demonstrate that your business applied technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data, or you may be exposed to high fines or other sanctions.
What does ensuring the level of data security appropriate for the level of risk mean? it means you need to start by assessing the risks and then review whether your security measures meet standards which fit your specific business. In order to answer this question, you might need to research what similar businesses, in scope and field and with similar data practices do. For some businesses, which did not yet go through a GDPR compliance process, it could also mean starting from a data mapping exercise, to determine which types of data are processed, where, when, how and why.
European regulators have already applied significant fines on companies which suffered security breaches; British Airways (£183.39M GBP) and Marriott International (£99M GBP) are just two examples, where they failed to demonstrate compliance with article 32, which specifies the above requirement for appropriate security measures. It has been specifically noted that having appropriate measures could reduce such fines even if breaches do occur. Since regulators can’t be familiar with your specific business and practices, your best play is to ensure you make a thorough analysis and document your assessments and decisions in a clear way. Independent information security reviews may also be a valuable tool to meet the accountability requirement.
If your business provides services to other businesses which are subject to the GDPR, having proper documentation as described above, including policies and procedures, will in turn assist you in meeting security concerns raised by your customers. It could further present an advantage over your competitors for those companies for which GDPR poses a material risk, and make your life easier when presented with a variety of security questionnaires.
When reviewing whether your current security posture meets the GDPR security requirements, you should also take into account, as always, the appropriate resources which should be spent on the matter. Of course the easiest way to meet the security requirements would be to purchase and apply the newest, most expensive security solutions out there, and show the regulators and your clients how much you invest. However, as you run a business meant to drive profits, this approach is not realistic.
In order to find the correct balance between spend and results, the smartest thing you can do is again, research which tools are available on the market for businesses of your type and size, which free or opensource solutions are available, and which tools are already available within your systems but are not utilised to their full potential. After all, even if you apply all the most expensive solutions, you may not configure them correctly or they may still not provide sufficient coverage, and even then, you may still suffer a breach. Further, too many tools could even create distractions in a form of too many false positives. Even the GDPR itself takes that into account and sets forth that the application of security measures should take into consideration the costs of implementation and the nature, scope, context and purposes of data processing.
If you are serious about GDPR security compliance, you might want to take the time and go through a well considered process, starting with identifying your assets, knowing your practices, assessing risks to personal data associated with such practices, and successfully implementing the correct security measures, taking into account existing standards and technologies as well as the costs of such measures.