New guidance clarifies what are considered ‘appropriate’ measures.
Guidance summarising appropriate and proportionate security measures issued by the ICO and NCSC towards the end of May recognises that ‘there is a lot of confusion as to the technical security required to comply with … data protection obligations’.
The guidance describes a set of technical security outcomes that are considered to represent appropriate measures under the GDPR.
The guidance states that ‘GDPR requires you to have a level of security that is “appropriate” to the risks presented by your processing. You need to consider this in relation to the … costs of implementation, as well as the nature, scope, context and purpose of the processing. This reflects both the GDPR’s risk-based approach, and that there is no “one size fits all” solution to security.
‘This means that what’s “appropriate” for you will depend on your own circumstances, the processing you're doing, and the risks it presents.’
It is then stated that the ‘guidance sets out security outcomes that could form the basis of describing appropriate technical and organisational measures to protect personal data. Whilst there are minimum expectations, the precise implementation of measures must be appropriate to the risks faced.’
Clearly, it would be prudent to check security measures implemented against the guidance provided as, highlighted above, there are minimum expectations.
It is recommended in the guidance that an outcomes-based approach is adopted that is built around the following aims to:
manage security risk
protect personal data against cyber attack
detect security events
minimise the impact.
In the guidance, under each of the aims above, measures are highlighted that organisations may wish to consider. Under Protect personal data against cyber attack it is stated that a business should have ‘proportionate security measures in place to protect against cyber attack which cover:
the personal data you process and
the systems that process such data’.
The sub-headings provided set out the measures that organisations may wish to consider. These are also useful when checking the processes an organisation has in place as it would seem likely that regulators may ask for documentation around each of the headings in the event of an investigation. The sub-headings are:
B.1 Service protection policies and processes
B.2 Identity and access control
B.3 Data security
B.4 System security
B.5 Staff awareness and training.
Under B.1 Service Protection Policies and Processes it is highlighted that suitable appropriate policies should be in place and that policies and procedures should be defined, implemented, communicated and enforced. For example, a computer use policy may be appropriate for many organisations as this sets out the requirements on employees and workers.
ACCA has issued a member proforma Computer Use Policy, made available to members as part of the Employment Law series of Factsheets.
It is also highlighted that the use of frameworks such as the Cyber Essentials framework would be beneficial. As a reminder, Cyber Essentials, as well as offering certification (the Cyber Essentials Certificate), also provides free advice and highlights the essential controls required.