GDPR Compliance Journey - 13 Technical Measures
Summary
TLDRIn this GDPR compliance video, Mike Savin discusses the importance of implementing appropriate technical measures to protect personal data. He highlights the need to assess the level of sensitivity of the data and the associated risks, suggesting Cyber Essentials as a base level standard for UK organizations. Savin also offers practical advice for non-technical individuals on securing personal information, emphasizing the importance of documentation and ongoing review of these measures.
Takeaways
- 🔒 GDPR requires the implementation of appropriate technical measures to protect personal data, but it does not specify which measures to use.
- 📏 The level of technical measures should be commensurate with the sensitivity of the personal information and the associated risks.
- 👶 For highly sensitive data, such as information about children, a higher level of technical control is recommended.
- 💡 Cyber Essentials is suggested as a good starting point for implementing technical measures, providing a base level of IT security.
- 🇬🇧 The UK government recommends Cyber Essentials for organizations wanting to work with them, indicating its importance.
- 🔄 Cyber Essentials covers a broad range of topics including infrastructure scope, firewalls, device configuration, user access, malware protection, and system updates.
- 🆓 Access to Cyber Essentials is available for free through the Guidelines software, making it accessible to all organizations.
- 👷 For those not technically minded, simple steps like using strong passwords, changing default passwords, and enabling two-factor authentication can enhance security.
- 📊 Data mapping and Data Protection Impact Assessments (DPIAs) are crucial for identifying necessary technical measures and assessing their effectiveness.
- 📝 Documentation of implemented technical measures is essential for ongoing review and testing of security measures.
- 🔄 Regular review and testing of technical measures ensure ongoing compliance and security.
Q & A
What is the main topic discussed in the video script?
-The main topic discussed in the video script is the implementation of technical measures as part of GDPR compliance, with a focus on the Cyber Essentials scheme as a base level standard for organizations.
What does GDPR require in terms of technical measures?
-GDPR requires organizations to implement appropriate technical measures such as data encryption or pseudonymization, which should be commensurate with the level of personal information and the associated risks.
What is Cyber Essentials and why is it recommended by the UK government?
-Cyber Essentials is a scheme that lays out a base level of simple IT security measures that the UK government recommends all organizations should follow. It is designed to help protect against common cyber threats and is considered a good starting point for technical measures.
What are some of the basic topic areas covered by the Cyber Essentials scheme?
-The Cyber Essentials scheme covers areas such as the scope of technical infrastructure, firewalls, device configuration, user access control, malware protection, and the importance of keeping systems updated.
How can non-technical individuals ensure they are being careful with personal information?
-Non-technical individuals can ensure careful handling of personal information by using long and strong passwords, changing default passwords on new devices, implementing two-factor authentication, and being mindful of what they send and do.
What is the significance of data mapping in the context of GDPR compliance?
-Data mapping is significant as it helps identify processes that may present more risk, guiding the organization to perform a data protection impact assessment and determine the necessary technical measures to be implemented.
Why is it important to document the technical measures implemented?
-Documenting technical measures is important because it allows organizations to review and test these measures on an ongoing basis, ensuring continuous compliance and the ability to demonstrate compliance if challenged.
How can organizations access the Cyber Essentials guidelines and what does it cost?
-Organizations can access the Cyber Essentials guidelines for free by signing up on the guidelines software platform, which is available to everyone at no cost.
What is the next step after implementing technical measures according to the video script?
-The next step after implementing technical measures is to review and test these measures regularly, which will be discussed in a later video.
What is the role of a data protection impact assessment in determining technical measures?
-A data protection impact assessment helps detail which measures have been put in place and is crucial for identifying the necessary technical measures based on the risks associated with specific data processing activities.
What are some practical steps for organizations to enhance their technical security?
-Practical steps include implementing strong password policies, using secure mobile phone codes for two-factor authentication, and considering password-protecting spreadsheets that contain personal information.
Outlines
🔒 Understanding GDPR's Technical Measures
In this video segment, Mike Savin discusses the complexities of implementing technical measures as per the General Data Protection Regulation (GDPR). The GDPR requires organizations to put in place 'appropriate technical measures' for data protection, but it does not specify which measures to take. The focus is on ensuring that the measures are proportional to the level of personal information and the associated risks. Savin emphasizes the importance of considering the sensitivity of data, such as data involving children, which might necessitate higher levels of technical control. He introduces Cyber Essentials as a recommended starting point for organizations to meet the GDPR's technical requirements, explaining that it provides a base level of IT security measures that are recommended by the UK government for all organizations. The segment also covers the broad areas covered by Cyber Essentials, including infrastructure scope, firewalls, device configuration, user access control, malware protection, and the importance of keeping systems updated.
🛡️ Practical Steps for Non-Technical GDPR Compliance
This paragraph provides guidance for individuals and organizations that may not be technically adept but still need to ensure compliance with GDPR's technical measures. It suggests practical steps such as using strong, unique passwords, changing default passwords on new devices, employing two-factor authentication, and securing documents containing personal information with passwords. The speaker encourages viewers to be mindful of their data handling practices and to seek help from IT professionals if needed. He also mentions the availability of the Cyber Essentials scheme for free through the Guidelines software, which can help organizations assess their current security measures against a base level standard. The paragraph concludes by linking the discussion back to previous videos on data mapping and data protection impact assessments, emphasizing the importance of documenting technical measures and reviewing them regularly to maintain compliance.
Mindmap
Keywords
💡GDPR
💡Technical Measures
💡Data Encryption
💡Pseudonymization
💡Cyber Essentials
💡IT Infrastructure
💡Data Mapping
💡Data Protection Impact Assessment (DPIA)
💡Two-Factor Authentication
💡Antivirus and Anti-Malware
💡Password Policies
Highlights
The GDPR requires implementing appropriate technical measures but does not specify which ones.
Technical measures should be commensurate with the level of personal information and the associated risks.
Highly sensitive data, such as information about children, may require a higher level of technical control.
Cyber Essentials is recommended as a base level standard for technical measures, especially for organizations working with the UK government.
The Cyber Essentials scheme outlines simple IT security measures considered essential for all UK organizations.
Cyber Essentials covers topics such as the scope of technical infrastructure, firewalls, device configuration, user access, malware protection, and system updates.
Access to Cyber Essentials guidelines is available for free, helping organizations assess their IT security.
For non-technical individuals, using long, strong passwords and enabling two-factor authentication are basic yet effective security practices.
Changing default passwords on new devices and implementing password protection on sensitive spreadsheets are recommended security measures.
Being mindful of what is sent and done digitally is crucial for safeguarding personal information.
Data mapping and data protection impact assessments can help identify processes that require stronger technical measures.
Technical measures implemented should be documented for future review and testing.
The importance of ongoing review and testing of technical measures to ensure continuous compliance with GDPR.
The video provides guidance for organizations to simplify their journey towards GDPR compliance, especially for those not technically minded.
Links to the Cyber Essentials scheme and additional resources for basic technical measures are provided for further assistance.
The video concludes with a teaser for the next topic, discussing processes in the context of GDPR compliance.
Transcripts
[Music]
hi and welcome back to our GDP our
compliance journey I'm Mike Savin and
this time we're talking about technical
measures now this is a tricky area
because the GD P R is not the most use
in terms of what this means or what you
have to do it merely says you have to
implement appropriate technical measures
such as data encryption or pseudonymous
a ssin it doesn't tell you which you
have to do but the the rules there
really are around it needs to be
appropriate and commensurate with the
level of personal information and the
risk that you are dealing with so if you
have some highly sensitive data around
children for example you might want to
put in some much greater level of
technical control than if you just have
the name and email of a few customers so
that's important to remember now we've
had a good long so I'll think about what
we need to do in terms of technical
measures and really we came to the
decision that cyber essentials was a
good way to go forwards with that so
let's take a quick look at the
guidelines software so here we are at
the guideline dashboard and maybe you've
noticed in previous videos that we don't
just have the GD P R but we also have
requirements for IT infrastructure cyber
essential scheme and there's a very good
reason we've included this and it's all
to do with technical measures and
appropriate security now the UK
government has said that if you want to
work with them then they recommend that
you have cyber essentials and they've
tried to lay out a base level of quite
simple IT security measures that they
believe all lie to all organisations in
the UK should follow so we believe that
that is a good base level standard for
organizations and if anyone is to
challenge an organization on their
technical measures and they've
implemented cyber essentials then at the
very least they can say they've
implemented the base level of IT needed
whether or not it's appropriate needs a
little more thought around the precise
nature of personal data that you're
processing but it should take you a long
way down the road to having completed
the technical measures so let's just
take a little bit of a closer look at
the cyber essentials scheme and it
covers some very broad basic topic areas
so there are questions around the scope
of your technical infrastructure so
locations the types of computing
solutions you use whether it's desktops
laptops servers cloud services it covers
firewalls how you protect devices from
intrusion and from the outside world it
covers the configuration of devices have
you disabled accounts have you
controlled who accesses those accounts
have you got password policies in place
for your organization and and more about
how you control the security of
configuration it also covers user access
what sorts of controls do you have how
do you manage your accounts the
disablement of accounts and deletion of
accounts and then it also talks about
malware so do you have antivirus do you
have anti-malware do you have spam
control and finally it talks about
keeping things updated because as
hopefully you're aware there are new
abilities being identified all the time
so it's important that you keep things
updated so that's just a very brief
overview of what's covered in cyber
essentials hopefully you can see it's
not too complicated and also just to
point out you can get access to cyber
essentials for free in guideline just
sign up is free to everybody to use
that's a bit about cyber essentials now
there may be many of you out there who
are thinking I'm not technical I don't
know anything about IT what should I do
and and really there are some very
sensible things that you can do to make
sure that you are technically being
careful with the personal information
that you have so things like make sure
you use long strong passwords and that
you don't use the same password between
systems make sure when you get a new
device or a new firewall that you change
the default password on them make sure
you use things like secure mobile phone
codes sometimes called two-factor
make sure you implement things like that
if you do use things like spreadsheets
for names and emails and addresses and
other personal information consider
putting a password on that spreadsheet
and really above all just be mindful of
what you're sending and what you're
doing there's a lot of people out there
who can help you with IT we have some
brand partners on our website there are
some links below on the screen one to
the cyber essentials scheme itself so
you can have a bit more of a read about
that the cyber centers part of the
guidelines software is free so go and
sign up won't cost you a penny see where
you are against that base level standard
and we'll put some more links in the
help around basic technical things that
you can do but getting back to the GDP
are what are the technical priorities
you should you need to do well it really
stems
if you remember back a few videos ago we
talked about data mapping and we talked
about after we've done data mapping
where we've identified processes that
might have present more risk that we
would do a data protection impact
assessment the impact assessment details
which measures you've put in place so
really look at your impact assessment
look at what that is telling about the
technical measures you need to put in
place and go ahead and put those
measures in place to make sure that you
are as technically secure as you can be
and make sure you document what you've
done because it's no good putting things
in and then forgetting what you've done
make sure you've got a list of what
you've put in because what we're coming
to on a later video is you need to be
able to review those measures and test
those measures on an ongoing basis so
that's it for now on technical measures
quite a lot to take in for those that
aren't technically minded but we hope
we've tried to make it a bit simpler for
you next time we're going to talk about
processes and until then we hope you
find your compliance simple
Browse More Related Video
Cara Mengamankan Website dari Serangan Hacker | IDCloudHost
GDPR Compliance Journey - 18 Reviews and Third Party Reviews
GDPR Compliance Journey - 19 Review and Wrap up
GDPR Compliance Journey - 08 Privacy Notice
GDPR Compliance Journey - 03 Data Mapping
GDPR Compliance Journey - 14 Process Documentation
5.0 / 5 (0 votes)