The G.D.P.R. imposes a duty on all organisations to report breaches of personal data i.e. whenever personal data is lost, destroyed, corrupted, disclosed, accessed without authorisation, accidentally lost, destroyed or encrypted by ransomware. It also imposes a duty to notify the individuals themselves. Besides being fined by the ICO, imagine having to tell a client that you lost their personal data!
Don’t worry, we can help you! Our founder has 24 years experience in the IT industry, including 5 years experience working for an ISP and a further 14 years running his own IT business. Data security is what we do!
What The Regulations Say
Article 32, Section 1 of the G.D.P.R. imposes specific duties on anyone holding personal data to “implement appropriate technical and organisational measures” to keep it secure, including:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Section 2 specifies that the level of security must prevent “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
Section 3 requires adherence to an approved code of conduct as or an approved certification mechanism to demonstrate compliance. We are awaiting guidance on this.
Section 4 requires the controller and processor to prevent unauthorised access to systems.