Understanding GDPR: Balancing Data Privacy, Security, and Organizational Controls (Full Transcript)

Speaker 1: While GDPR is primarily a data privacy law, it also includes elements of data security, and those requirements apply to both controllers and processors. GDPR is not prescriptive when it comes to security requirements for processing personal data. Instead, GDPR requires each organization to evaluate its own security based on risk, processing activities, and organizational structure. And that's because privacy needs evolve and privacy threats evolve, so GDPR is designed to evolve along with those needs and those privacy threats. Some examples of appropriate organizational and technical controls include risk assessments, encryption, pseudonymization, and documented information security policies that cover things like business continuity, physical security, logical access, configuration management, human resources, and management oversight. Now, in addition to those particular controls and documentation around the policies and procedures of those controls, there should also be a process to monitor and test the effectiveness of those controls, and that's where internal and third-party auditing comes into play. There have been some unofficial attempts to map GDPR requirements to ISO 27001 and SOC audits, and those are effective ways of monitoring organizational controls, but for GDPR purposes, they may be incomplete with respect to some of the data privacy elements. Because GDPR is not prescriptive when it comes to the appropriate organizational and technical controls, there will be codes of conduct and certification standards that will provide some level of prescriptiveness when it comes to security of processing. Until those codes come out or if an organization chooses to define its own standards for what is appropriate, things like third-party audits and internal audits will serve as an effective way of demonstrating that thought and objectivity has been considered when it comes to what is appropriate for an organization. In order to determine whether or not a control is appropriate, whether that's an organizational control or a technical control, it's important to know what the goal is for security of processing under GDPR. The goal is to prevent the unauthorized or accidental loss, destruction, use, or disclosure of personal data. For almost any security threat, there is one or more tools or controls. If your budget, time, and resources are unlimited, fortunately GDPR allows organizations to take into consideration the cost, practicality, and reasonableness of a control to mitigate risk and expects organizations to take what is appropriate for the organization, for the risk, and for the processing activity. In addition to considering the processing risk to data subjects, organizations are also allowed to consider the ability and resources of the organization to implement a control. Just because a control is a possible control that would mitigate a risk doesn't mean it's an appropriate control. It might be beyond the scope because it's too expensive or not practical, or it might not be insufficient because it's not secure enough.