One of the notable features of the GDPR is that it avoids being prescriptive about how companies should go about implementing the required level of privacy and associated cyber security. It simply mandates that companies ensure “an appropriate level of security, including confidentiality”.

In other words, it puts the ball firmly in the court of those collecting and processing the data, obliging them to keep up to date with developments in the area of IT security, including both threats and ways to counter them. It puts the onus on the organisation to take measures that are relevant to their situation.

It should also be noted that, in the context of the GDPR, the idea of data security is much broader than just protecting it from theft. It also includes preventing the accidental or unlawful destruction, loss and/or alteration of data.

Privacy Fom The Gound Up

One of the key premises of the GDPR is that, going forward, the idea of protecting privacy should be an overarching consideration of the design and development process of any new activity that involves the collection of protected personal data. For example, the EU suggests that when new apps are created, IT security experts like WeSeeNow should work together with business representatives such as the marketing team, to determine how best to create an app that meets business requirements in a secure way that also guarantees the safety of data.

Breaches Must Be Reported

The GDPR has yet to be implemented, so it remains to be seen how the requirement to report breaches of data protection will be interpreted in reality as, interestingly, Standards and Regulated Policy does make allowances for data controllers to choose to keep a breach private if it is unlikely to have any meaningful impact.

Assuming, however, that a breach does need to be reported, the report must be issued “without undue delay” and there is an expectation that the report will be made in a maximum of 72 hours unless there is a very good reason why it should take longer. Compliance also mandates that the notification must inform the data subjects of the potential impact on them and of how they can potentially mitigate it.

Featured Products and Services

  • Find out more about cyber security and see our full range of cyber security products and services