Академический Документы
Профессиональный Документы
Культура Документы
Safeguard Measures
1. Organization need to take essential safeguard measures. (Art. 24)
2. Security of processing (Art. 32)
3. Data Protection Impact Assessment (Art. 35)
Explanation:
Essential Features for Compliance in accordance with GDPR
1. Pseudonymization/ Anonymization of Data stored is compulsory.
The GDPR recommends the application of pseudonymization to personal data to reduce risks to data
subjects and help controllers and processors meet their data-protection obligations.
3. DPIA
DPIA, which is required for high-risk activities, helps organizations evaluate the origin, nature,
particularity and severity of risks and implement appropriate measures to mitigate risks, such as
encryption. In assessing data security risk, consideration should be given to the risks that are presented
by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data transmitted, stored or otherwise processed which may lead to
physical, material or non-material damage.
Mandatory for a company whose core activities consist of processing operations which require regular
and systematic monitoring of data subjects on a large scale. A DPO is also mandatory for all
enterprises that process data regarding sensitive data, such as health, religious or political beliefs on a
large scale.
Physical Security and Privacy Requirements
Generalized Measures:
Deploy Data Protection by Design and Default:
To protect data by default, organizations must proactively identify and collect only the personal data
necessary for their intended purposes, keep the data only for as long as necessary (minimization
principle), and they should ensure that personal data will not be made accessible to an indefinite
number of people. Steps like anonymization and pseudonymization to be taken.
Sample questions to consider for complying with the safety: Have you positioned computer screens
away from windows, doors and areas publicly accessible? Do you equip monitors and mobile device
screens with privacy screens to obscure the viewing of information to potential onlookers? Are shared
printer/copier/ fax machines in protected areas or have locking covers? Do you store physical copies of
data in an access-controlled facility?
Or, be able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and
freedoms of natural persons. If there is a high risk, the data subject must also be notified of the data
breach, without undue delay.
A vulnerability scan is an automated process that finds and alerts organisations about known
weaknesses in their systems. There are two types of scan: external and internal. External scans look for
ways in which malicious outsiders can exploit the organisation, and internal scans look for threats
inside the organisation, such as the potential for privilege abuse.
Organisations should conduct regular vulnerability scans to secure many of the most common security
flaws that lead to data breaches. However, it’s important to learn how to interpret the results of a
vulnerability scan. Many non-security professionals see that risks are often rated as ‘low’ or ‘medium’
and infer that the organisation’s defences are reasonably effective. But almost all vulnerabilities can be
leveraged by criminal hackers. To stop that from happening, you need to conduct regular penetration
tests.
Penetration testing
Penetration testing is essentially a controlled form of hacking in which a professional penetration tester,
working on behalf of an organisation, uses the same techniques as a criminal hacker to search for
vulnerabilities in the organisation’s networks or applications.
Whereas a vulnerability scan can be automated, a penetration test requires a certain level of expertise
and hands-on work. A good penetration tester can craft scripts, change the parameters of an attack and
tweak the settings of their tools.
Testing can operate on application or network level, and the scope can be adjusted based on
departments, functions or certain assets. Alternatively, tests can examine the entire infrastructure and
all its applications, although this is usually too impractical.
Testing to fit budgetary requirements
Penetration testing has sometimes been erroneously referred to as an expensive way of finding out
where you need to spend more money. However, without testing, organisations expose themselves to
data breaches and cyber-attacks, which will almost certainly cost more than a penetration test.
For example, it’s not always necessary to test every aspect of an application or network. That would
only be required if you stored highly sensitive information or had a reason to think you are being
targeted by criminal hackers.
Schedule Employee Training Concepts to be covered: Observation, Physical Access, and Theft
Prevention.
Set Data Storage Limits Make the deadline already set at the time of data storage.
Destruct the data as soon as time limit is over.
Keep check on the time implementation.
Verify Third-Party Suppliers
A Vendor management program that includes contractual
obligations and establishes management oversight activities for
third parties with access to personal data.