In this video, Mandy Huth discusses the technical measures outlined in Article 32 of the GDPR. Investigate data encryption, critical security controls, data restoration, and testing of controls.
- [Instructor] Once an organization understands what data they have, they have to show appropriate diligence in protecting it. These measures are called out in article 32 of the GDPR. There are four components outlined for implementing technical controls that ensure a level of security appropriate to the risks. The first is around anonymization and encryption. Plain text is a bad thing. Mostly because it can be read by anyone when it's intercepted, including bad actors.
An organization should consider data in transit and data at rest. For data in transit, TLS encryption is a good technical choice. For data at rest, encryption using AES256 is a solid technical choice as well. Next, is the confidentiality, integrity, and availability of the data, or the CIA of the data. These components are protected by many controls. An organization can reference the center for internet security's critical security controls page to look at what these controls are.
These controls align to other frameworks as well. They align to ISO 27002, which is an international standard. They align to the NIS regulations in the United States, and to the Australian security directorate top four security controls. The top 20 security controls can help not only under the regulation of GDPR, but in overall security measures for an organization as well. Some examples include having an inventory of your hardware and software, doing vulnerability assessments on those assets, insuring the control of administrative privilege, and very importantly training your people to understand the security controls.
The third technical measure is the restoration of data. An organization must backup its critical information. They should test the restores to ensure they have viable copies. This practice ensures the availability of the data in case of loss. Finally, technical measures should be tested and checked for effectiveness. Some examples of how an organization can test are penetration testing, or doing a restore test of their backups.
An organization should consider both internal and external tests for their technical measures. Article 32 outlines the basic technical requirements for protecting data. They are not simple, but they are basic security measures every organization should strive to implement.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Define the objectives of GDPR relating to the personal privacy of citizens.
- Determine the responsibilities of data protection officers under GDPR.
- Identify the rights of citizens in the event of a data breach.
- Review the steps that must be taken in the event of a data breach.
- Describe the notification process in the event of a data breach.