The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.
These include having and maintaining the following IT measures:
- Business Firewalls
- Secure communications
- Encryption (where appropriate such as laptops and memory sticks)
- Business Network Policies
- Disaster recover plan and backups
- Operating System update/patch policies
- Device patches and updates
- Password Policies
- Intrusion detection and data analysis tools
The above list is not exclusive and each business needs evaluating. Business can seek certification such as Cyber Essentials to demonstrate their commitment to cyber security. You also need to ensure physical security of the premises and devices where data is held and implement stafGDPR Guidancef policies and guidance regards the protection of data, using portable media for storage and their general responsibility of data regards the guidelines set out in the GDPR The processor should also be monitored to ensure that the data is being processed in the correct and legal way.