GDPR Compliance Journey - 13 Technical Measures

Gydeline
17 May 201807:51

Summary

TLDRIn this GDPR compliance video, Mike Savin discusses the importance of implementing appropriate technical measures to protect personal data. He highlights the need to assess the level of sensitivity of the data and the associated risks, suggesting Cyber Essentials as a base level standard for UK organizations. Savin also offers practical advice for non-technical individuals on securing personal information, emphasizing the importance of documentation and ongoing review of these measures.

Takeaways

  • 🔒 GDPR requires the implementation of appropriate technical measures to protect personal data, but it does not specify which measures to use.
  • 📏 The level of technical measures should be commensurate with the sensitivity of the personal information and the associated risks.
  • 👶 For highly sensitive data, such as information about children, a higher level of technical control is recommended.
  • 💡 Cyber Essentials is suggested as a good starting point for implementing technical measures, providing a base level of IT security.
  • 🇬🇧 The UK government recommends Cyber Essentials for organizations wanting to work with them, indicating its importance.
  • 🔄 Cyber Essentials covers a broad range of topics including infrastructure scope, firewalls, device configuration, user access, malware protection, and system updates.
  • 🆓 Access to Cyber Essentials is available for free through the Guidelines software, making it accessible to all organizations.
  • 👷 For those not technically minded, simple steps like using strong passwords, changing default passwords, and enabling two-factor authentication can enhance security.
  • 📊 Data mapping and Data Protection Impact Assessments (DPIAs) are crucial for identifying necessary technical measures and assessing their effectiveness.
  • 📝 Documentation of implemented technical measures is essential for ongoing review and testing of security measures.
  • 🔄 Regular review and testing of technical measures ensure ongoing compliance and security.

Q & A

  • What is the main topic discussed in the video script?

    -The main topic discussed in the video script is the implementation of technical measures as part of GDPR compliance, with a focus on the Cyber Essentials scheme as a base level standard for organizations.

  • What does GDPR require in terms of technical measures?

    -GDPR requires organizations to implement appropriate technical measures such as data encryption or pseudonymization, which should be commensurate with the level of personal information and the associated risks.

  • What is Cyber Essentials and why is it recommended by the UK government?

    -Cyber Essentials is a scheme that lays out a base level of simple IT security measures that the UK government recommends all organizations should follow. It is designed to help protect against common cyber threats and is considered a good starting point for technical measures.

  • What are some of the basic topic areas covered by the Cyber Essentials scheme?

    -The Cyber Essentials scheme covers areas such as the scope of technical infrastructure, firewalls, device configuration, user access control, malware protection, and the importance of keeping systems updated.

  • How can non-technical individuals ensure they are being careful with personal information?

    -Non-technical individuals can ensure careful handling of personal information by using long and strong passwords, changing default passwords on new devices, implementing two-factor authentication, and being mindful of what they send and do.

  • What is the significance of data mapping in the context of GDPR compliance?

    -Data mapping is significant as it helps identify processes that may present more risk, guiding the organization to perform a data protection impact assessment and determine the necessary technical measures to be implemented.

  • Why is it important to document the technical measures implemented?

    -Documenting technical measures is important because it allows organizations to review and test these measures on an ongoing basis, ensuring continuous compliance and the ability to demonstrate compliance if challenged.

  • How can organizations access the Cyber Essentials guidelines and what does it cost?

    -Organizations can access the Cyber Essentials guidelines for free by signing up on the guidelines software platform, which is available to everyone at no cost.

  • What is the next step after implementing technical measures according to the video script?

    -The next step after implementing technical measures is to review and test these measures regularly, which will be discussed in a later video.

  • What is the role of a data protection impact assessment in determining technical measures?

    -A data protection impact assessment helps detail which measures have been put in place and is crucial for identifying the necessary technical measures based on the risks associated with specific data processing activities.

  • What are some practical steps for organizations to enhance their technical security?

    -Practical steps include implementing strong password policies, using secure mobile phone codes for two-factor authentication, and considering password-protecting spreadsheets that contain personal information.

Outlines

00:00

🔒 Understanding GDPR's Technical Measures

In this video segment, Mike Savin discusses the complexities of implementing technical measures as per the General Data Protection Regulation (GDPR). The GDPR requires organizations to put in place 'appropriate technical measures' for data protection, but it does not specify which measures to take. The focus is on ensuring that the measures are proportional to the level of personal information and the associated risks. Savin emphasizes the importance of considering the sensitivity of data, such as data involving children, which might necessitate higher levels of technical control. He introduces Cyber Essentials as a recommended starting point for organizations to meet the GDPR's technical requirements, explaining that it provides a base level of IT security measures that are recommended by the UK government for all organizations. The segment also covers the broad areas covered by Cyber Essentials, including infrastructure scope, firewalls, device configuration, user access control, malware protection, and the importance of keeping systems updated.

05:02

🛡️ Practical Steps for Non-Technical GDPR Compliance

This paragraph provides guidance for individuals and organizations that may not be technically adept but still need to ensure compliance with GDPR's technical measures. It suggests practical steps such as using strong, unique passwords, changing default passwords on new devices, employing two-factor authentication, and securing documents containing personal information with passwords. The speaker encourages viewers to be mindful of their data handling practices and to seek help from IT professionals if needed. He also mentions the availability of the Cyber Essentials scheme for free through the Guidelines software, which can help organizations assess their current security measures against a base level standard. The paragraph concludes by linking the discussion back to previous videos on data mapping and data protection impact assessments, emphasizing the importance of documenting technical measures and reviewing them regularly to maintain compliance.

Mindmap

Keywords

💡GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law that focuses on data protection and privacy for individuals within the European Union. It is central to the video's theme as it discusses the technical measures required by GDPR to ensure the security of personal data. The script mentions that GDPR requires 'appropriate technical measures' without specifying which ones, leaving it to organizations to determine the best approach based on the sensitivity of the data they handle.

💡Technical Measures

Technical measures refer to the safeguards implemented to protect data from unauthorized access, breaches, or loss. In the context of the video, these measures are crucial for GDPR compliance and include actions like data encryption and pseudonymization. The script emphasizes that the level of technical measures should be proportionate to the risk associated with the data being processed.

💡Data Encryption

Data encryption is the process of converting data into a code to prevent unauthorized access. It is one of the technical measures mentioned in the script as a method to secure personal information. The video suggests that organizations with highly sensitive data might need to implement strong encryption to comply with GDPR.

💡Pseudonymization

Pseudonymization is a technique used to protect personal data by replacing identifiable information with artificial identifiers or pseudonyms. The script briefly mentions it as a technical measure under GDPR, suggesting it as a way to reduce the risk of data exposure.

💡Cyber Essentials

Cyber Essentials is a UK government-backed cybersecurity certification that sets out a good practice baseline of controls in five key areas to protect against the most common internet threats. The video script highlights Cyber Essentials as a recommended starting point for organizations to meet the technical measures required by GDPR, indicating it as a base level standard for IT security.

💡IT Infrastructure

IT infrastructure refers to the framework of hardware, software, networks, and facilities that run an organization's information system. The script discusses the importance of securing IT infrastructure as part of GDPR's technical measures, emphasizing the need for organizations to assess and protect their computing solutions, whether they are desktops, laptops, servers, or cloud services.

💡Data Mapping

Data mapping is the process of documenting and analyzing the flow of data within an organization. In the script, it is mentioned as a prior step to identifying processes that might present more risk, which would then require a data protection impact assessment. This process helps organizations understand where their data is and how it moves, which is essential for implementing appropriate technical measures.

💡Data Protection Impact Assessment (DPIA)

A DPIA is a process for evaluating the risks of proposed processing operations to the rights and freedoms of individuals by a controller or processor. The video script suggests that after data mapping, organizations should conduct a DPIA to identify processes that require additional technical measures to mitigate potential risks.

💡Two-Factor Authentication

Two-factor authentication (2FA) is a security process in which a user provides two different authentication factors to verify themselves. The script recommends using 2FA, such as secure mobile phone codes, as a technical measure to enhance security, especially for those who may not be technically minded.

💡Antivirus and Anti-Malware

Antivirus and anti-malware software are programs that protect computers from malicious software, viruses, and other threats. The script includes these as part of the Cyber Essentials scheme, indicating that having such software is a basic technical measure for securing an organization's IT infrastructure against cyber threats.

💡Password Policies

Password policies are the rules and guidelines set by an organization to ensure that passwords are strong and secure. The video script mentions the importance of having password policies in place as part of the technical measures to protect personal data, emphasizing the need for complexity and regular changes.

Highlights

The GDPR requires implementing appropriate technical measures but does not specify which ones.

Technical measures should be commensurate with the level of personal information and the associated risks.

Highly sensitive data, such as information about children, may require a higher level of technical control.

Cyber Essentials is recommended as a base level standard for technical measures, especially for organizations working with the UK government.

The Cyber Essentials scheme outlines simple IT security measures considered essential for all UK organizations.

Cyber Essentials covers topics such as the scope of technical infrastructure, firewalls, device configuration, user access, malware protection, and system updates.

Access to Cyber Essentials guidelines is available for free, helping organizations assess their IT security.

For non-technical individuals, using long, strong passwords and enabling two-factor authentication are basic yet effective security practices.

Changing default passwords on new devices and implementing password protection on sensitive spreadsheets are recommended security measures.

Being mindful of what is sent and done digitally is crucial for safeguarding personal information.

Data mapping and data protection impact assessments can help identify processes that require stronger technical measures.

Technical measures implemented should be documented for future review and testing.

The importance of ongoing review and testing of technical measures to ensure continuous compliance with GDPR.

The video provides guidance for organizations to simplify their journey towards GDPR compliance, especially for those not technically minded.

Links to the Cyber Essentials scheme and additional resources for basic technical measures are provided for further assistance.

The video concludes with a teaser for the next topic, discussing processes in the context of GDPR compliance.

Transcripts

play00:00

[Music]

play00:03

hi and welcome back to our GDP our

play00:07

compliance journey I'm Mike Savin and

play00:09

this time we're talking about technical

play00:12

measures now this is a tricky area

play00:16

because the GD P R is not the most use

play00:21

in terms of what this means or what you

play00:24

have to do it merely says you have to

play00:27

implement appropriate technical measures

play00:29

such as data encryption or pseudonymous

play00:33

a ssin it doesn't tell you which you

play00:34

have to do but the the rules there

play00:37

really are around it needs to be

play00:39

appropriate and commensurate with the

play00:41

level of personal information and the

play00:44

risk that you are dealing with so if you

play00:49

have some highly sensitive data around

play00:52

children for example you might want to

play00:54

put in some much greater level of

play00:57

technical control than if you just have

play01:00

the name and email of a few customers so

play01:05

that's important to remember now we've

play01:09

had a good long so I'll think about what

play01:11

we need to do in terms of technical

play01:13

measures and really we came to the

play01:16

decision that cyber essentials was a

play01:19

good way to go forwards with that so

play01:23

let's take a quick look at the

play01:25

guidelines software so here we are at

play01:28

the guideline dashboard and maybe you've

play01:31

noticed in previous videos that we don't

play01:33

just have the GD P R but we also have

play01:37

requirements for IT infrastructure cyber

play01:39

essential scheme and there's a very good

play01:43

reason we've included this and it's all

play01:44

to do with technical measures and

play01:46

appropriate security now the UK

play01:50

government has said that if you want to

play01:53

work with them then they recommend that

play01:55

you have cyber essentials and they've

play01:58

tried to lay out a base level of quite

play02:01

simple IT security measures that they

play02:03

believe all lie to all organisations in

play02:06

the UK should follow so we believe that

play02:09

that is a good base level standard for

play02:12

organizations and if anyone is to

play02:16

challenge an organization on their

play02:18

technical measures and they've

play02:20

implemented cyber essentials then at the

play02:24

very least they can say they've

play02:25

implemented the base level of IT needed

play02:27

whether or not it's appropriate needs a

play02:30

little more thought around the precise

play02:32

nature of personal data that you're

play02:34

processing but it should take you a long

play02:37

way down the road to having completed

play02:41

the technical measures so let's just

play02:44

take a little bit of a closer look at

play02:47

the cyber essentials scheme and it

play02:51

covers some very broad basic topic areas

play02:54

so there are questions around the scope

play02:58

of your technical infrastructure so

play03:02

locations the types of computing

play03:06

solutions you use whether it's desktops

play03:08

laptops servers cloud services it covers

play03:17

firewalls how you protect devices from

play03:21

intrusion and from the outside world it

play03:28

covers the configuration of devices have

play03:31

you disabled accounts have you

play03:34

controlled who accesses those accounts

play03:37

have you got password policies in place

play03:40

for your organization and and more about

play03:44

how you control the security of

play03:47

configuration it also covers user access

play03:53

what sorts of controls do you have how

play03:57

do you manage your accounts the

play04:00

disablement of accounts and deletion of

play04:02

accounts and then it also talks about

play04:08

malware so do you have antivirus do you

play04:11

have anti-malware do you have spam

play04:14

control and finally it talks about

play04:18

keeping things updated because as

play04:22

hopefully you're aware there are new

play04:25

abilities being identified all the time

play04:27

so it's important that you keep things

play04:30

updated so that's just a very brief

play04:33

overview of what's covered in cyber

play04:35

essentials hopefully you can see it's

play04:37

not too complicated and also just to

play04:40

point out you can get access to cyber

play04:42

essentials for free in guideline just

play04:45

sign up is free to everybody to use

play04:47

that's a bit about cyber essentials now

play04:50

there may be many of you out there who

play04:52

are thinking I'm not technical I don't

play04:55

know anything about IT what should I do

play04:58

and and really there are some very

play05:01

sensible things that you can do to make

play05:05

sure that you are technically being

play05:08

careful with the personal information

play05:09

that you have so things like make sure

play05:13

you use long strong passwords and that

play05:17

you don't use the same password between

play05:19

systems make sure when you get a new

play05:22

device or a new firewall that you change

play05:27

the default password on them make sure

play05:31

you use things like secure mobile phone

play05:35

codes sometimes called two-factor

play05:38

make sure you implement things like that

play05:40

if you do use things like spreadsheets

play05:43

for names and emails and addresses and

play05:46

other personal information consider

play05:48

putting a password on that spreadsheet

play05:50

and really above all just be mindful of

play05:52

what you're sending and what you're

play05:55

doing there's a lot of people out there

play05:59

who can help you with IT we have some

play06:02

brand partners on our website there are

play06:05

some links below on the screen one to

play06:09

the cyber essentials scheme itself so

play06:12

you can have a bit more of a read about

play06:13

that the cyber centers part of the

play06:16

guidelines software is free so go and

play06:19

sign up won't cost you a penny see where

play06:22

you are against that base level standard

play06:24

and we'll put some more links in the

play06:26

help around basic technical things that

play06:30

you can do but getting back to the GDP

play06:33

are what are the technical priorities

play06:35

you should you need to do well it really

play06:38

stems

play06:38

if you remember back a few videos ago we

play06:40

talked about data mapping and we talked

play06:43

about after we've done data mapping

play06:46

where we've identified processes that

play06:48

might have present more risk that we

play06:51

would do a data protection impact

play06:53

assessment the impact assessment details

play06:56

which measures you've put in place so

play06:58

really look at your impact assessment

play07:01

look at what that is telling about the

play07:03

technical measures you need to put in

play07:05

place and go ahead and put those

play07:07

measures in place to make sure that you

play07:09

are as technically secure as you can be

play07:12

and make sure you document what you've

play07:14

done because it's no good putting things

play07:18

in and then forgetting what you've done

play07:19

make sure you've got a list of what

play07:21

you've put in because what we're coming

play07:24

to on a later video is you need to be

play07:26

able to review those measures and test

play07:28

those measures on an ongoing basis so

play07:32

that's it for now on technical measures

play07:35

quite a lot to take in for those that

play07:37

aren't technically minded but we hope

play07:40

we've tried to make it a bit simpler for

play07:42

you next time we're going to talk about

play07:44

processes and until then we hope you

play07:47

find your compliance simple

Browse More Related Video

Cara Mengamankan Website dari Serangan Hacker | IDCloudHost

GDPR Compliance Journey - 18 Reviews and Third Party Reviews

GDPR Compliance Journey - 19 Review and Wrap up

GDPR Compliance Journey - 08 Privacy Notice

GDPR Compliance Journey - 03 Data Mapping

GDPR Compliance Journey - 14 Process Documentation

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
GDPR ComplianceTechnical MeasuresData EncryptionCyber EssentialsIT SecurityData ProtectionRisk AssessmentPassword SecurityAntivirus SoftwareTwo-Factor AuthCybersecurity Best Practices