GDPR- General Data Protection Regulation (2016)

Safeguard Measures
1. Organization need to take essential safeguard measures. (Art. 24)
2. Security of processing (Art. 32)
3. Data Protection Impact Assessment (Art. 35)

Explanation:
Essential Features for Compliance in accordance with GDPR
1. Pseudonymization/ Anonymization of Data stored is compulsory.

The GDPR recommends the application of pseudonymization to personal data to reduce risks to data
subjects and help controllers and processors meet their data-protection obligations.

2. Organizations need consent from individuals to gather their personal data.

Consent needs to be given by a clear, affirmative act establishing a freely given, specific, informed and
unambiguous indication of the data subject’s agreement to the processing of personal data. Pre-ticked
boxes, silence and inactivity do not constitute consent.9 Organizations need to maintain a record of
receiving consent, and make sure consent requests are distinguishable from other requests, using clear
and plain language

3. DPIA

DPIA, which is required for high-risk activities, helps organizations evaluate the origin, nature,
particularity and severity of risks and implement appropriate measures to mitigate risks, such as
encryption. In assessing data security risk, consideration should be given to the risks that are presented
by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data transmitted, stored or otherwise processed which may lead to
physical, material or non-material damage.

4. Data Protection Officer Appointment

Mandatory for a company whose core activities consist of processing operations which require regular
and systematic monitoring of data subjects on a large scale. A DPO is also mandatory for all
enterprises that process data regarding sensitive data, such as health, religious or political beliefs on a
large scale.
Physical Security and Privacy Requirements
Generalized Measures:
 Deploy Data Protection by Design and Default:
To protect data by default, organizations must proactively identify and collect only the personal data
necessary for their intended purposes, keep the data only for as long as necessary (minimization
principle), and they should ensure that personal data will not be made accessible to an indefinite
number of people. Steps like anonymization and pseudonymization to be taken.

 Use Physical Safeguards

To determine where physical barriers are needed, identify where sensitive information is accessed. For
example, employees frequently use mobile devices to access and share data from anywhere. A growing
number of these workers access sensitive information in public places, often in full view of others.
There’s increased risk of data exposure inside the office too. The common open-office floor plans
remove physical barriers that traditionally helped shield computer screens.

Sample questions to consider for complying with the safety: Have you positioned computer screens
away from windows, doors and areas publicly accessible? Do you equip monitors and mobile device
screens with privacy screens to obscure the viewing of information to potential onlookers? Are shared
printer/copier/ fax machines in protected areas or have locking covers? Do you store physical copies of
data in an access-controlled facility?

 Schedule Employee Training:

Training programs should cover three key aspects: Observation, Physical Access, and Theft Prevention
best practices. For example, employees should be reminded to be conscious of their surroundings when
accessing and managing connected devices from public places via their laptops, tablets and
smartphones. Device screens should not be exposed to passers-by and potential onlookers, especially
when entering log-in information or viewing sensitive account details. When it comes to physical
access, organizations should train employees to erase information from white boards and collect
confidential papers following meetings, memorize passwords instead of writing them down, lock file
cabinets and laptops, use privacy filters on computing devices and maintain a clean desk policy
including logging off unattended devices.

 Develop Clear Policies:

To demonstrate an organization’s commitment to implement appropriate security and privacy
measures, their policies should outline the do’s and dont’s of information viewing and use for
employees and contractors both in the workplace and when working remotely. Employee agreements
should contain specific language about the responsibility to safeguard sensitive and confidential
information.

 Set Data Storage Limits:

Set time periods for how long personal data will be stored –in accordance with applicable laws.
Securely erase all personal data that is not absolutely required to support the business purposes for
which they were collected.

 Verify Third-Party Suppliers:

Only use processors that provide sufficient guarantees in terms of expert knowledge, reliability and
resources to implement technical and organizational measures, including for the security of processing.
 Create a Data Breach Protocol:
Organizations must be prepared to notify the supervisory authority without undue delay when it
becomes aware that a personal data breach has occurred (when feasible, no later than 72 hours).

Or, be able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and
freedoms of natural persons. If there is a high risk, the data subject must also be notified of the data
breach, without undue delay.

 Know the Individual’s Rights

Comment: (Not Practically Feasible!)

EU residents now have the right to see what personal data organizations have regarding them – and
request their data be erased under certain circumstances. The right to erasure requires organizations to
erase any links to, or copies or replications of those personal data. Organizations should provide a way
for people to make requests electronically, especially if personal data is processed by electronic means.

Suggested Mandatory Technical-Measures in Compliance

with GDPR:
 Vulnerability scans
Many organisations’ network security defences consist only of patch management and antivirus
software. Those are essential, but so is reviewing configurations, third-party applications and hardware.
This is what vulnerability scans do.

A vulnerability scan is an automated process that finds and alerts organisations about known
weaknesses in their systems. There are two types of scan: external and internal. External scans look for
ways in which malicious outsiders can exploit the organisation, and internal scans look for threats
inside the organisation, such as the potential for privilege abuse.

Organisations should conduct regular vulnerability scans to secure many of the most common security
flaws that lead to data breaches. However, it’s important to learn how to interpret the results of a
vulnerability scan. Many non-security professionals see that risks are often rated as ‘low’ or ‘medium’
and infer that the organisation’s defences are reasonably effective. But almost all vulnerabilities can be
leveraged by criminal hackers. To stop that from happening, you need to conduct regular penetration
tests.

 Penetration testing
Penetration testing is essentially a controlled form of hacking in which a professional penetration tester,
working on behalf of an organisation, uses the same techniques as a criminal hacker to search for
vulnerabilities in the organisation’s networks or applications.

Whereas a vulnerability scan can be automated, a penetration test requires a certain level of expertise
and hands-on work. A good penetration tester can craft scripts, change the parameters of an attack and
tweak the settings of their tools.

Testing can operate on application or network level, and the scope can be adjusted based on
departments, functions or certain assets. Alternatively, tests can examine the entire infrastructure and
all its applications, although this is usually too impractical.
  Testing to fit budgetary requirements
Penetration testing has sometimes been erroneously referred to as an expensive way of finding out
where you need to spend more money. However, without testing, organisations expose themselves to
data breaches and cyber-attacks, which will almost certainly cost more than a penetration test.

There are also ways to reduce the cost of penetration testing.

For example, it’s not always necessary to test every aspect of an application or network. That would
only be required if you stored highly sensitive information or had a reason to think you are being
targeted by criminal hackers.

Practical Action Plan

Deploy Data Protection by Default Steps:
and Design.  Keep the data only for as long as necessary.
 Ensure that personal data will be accessible to only a set of
people.
 Pseudonymizing or Anonymizing as per the need.

 Considering privacy risks to individuals before

designing your information systems, business practices
and physical design.

 Review current systems and processing activities, and

check if additional steps are needed to document how
personal data will be protected throughout the entire
information lifecycle.

Use Physical Safeguards

 Position computer screens away from windows, doors and
areas publicly accessible.
 Equip monitors and mobile device screens with privacy
screens to obscure the viewing of information to potential
onlooker.
 Storage of Physical copies of data in access controlled
environment.

Schedule Employee Training Concepts to be covered: Observation, Physical Access, and Theft
Prevention.

Train employees to-

 To erase information from white boards and collect confidential
papers following meetings.
 Memorize passwords instead of writing them down.
 Lock file cabinets and laptops.
 Use privacy filters on computing devices and maintain a clean desk
policy including logging off unattended devices.

Set Data Storage Limits  Make the deadline already set at the time of data storage.
 Destruct the data as soon as time limit is over.
 Keep check on the time implementation.
Verify Third-Party Suppliers
 A Vendor management program that includes contractual
obligations and establishes management oversight activities for
third parties with access to personal data.

 Only use processors that provide sufficient guarantees in terms

of expert knowledge, reliability and resources to implement
technical and organizational measures, including for the
security of processing.

Create a Data Breach Protocol

 Notify the breach to supervising authority within set limit of
time. (Maybe we can fix it as 48 hours-time.)

 Legal Deptt. to take legal action as per laws against the

offender within 2-3 days.

Strict and Clear Privacy Policy

 Do’s and Dont’s of information viewing and use for
employees.
 Contracts for both in the workplace and when working
remotely.
 Employee agreements should contain specific language about
the responsibility of employees to safeguard sensitive and
confidential information.