GDPR Cybersecurity: Key Measures for Compliance with the Integrity and Confidentiality Principle

GDPR Cybersecurity: Key Measures for Compliance with the Integrity and Confidentiality Principle

The 6th GDPR principle (Integrity and Confidentiality), also known as the Security principle, requires organizations to implement robust cybersecurity measures to protect personal data from cyber security risks.

In other words, you need to set up systems to ensure that personal data you collected cannot be accessed by unauthorized parties and won't be lost or damaged.

In this article, I share some technical and organizational measures examples to help you comply with the GDPR cyber security requirements.

Key Takeways
red lock and metal chain on keyboard
  • The GDPR cybersecurity requirements are outlined in Article 5(f) of the GDPR.
  • To comply with this principle, you should implement data protection measures at every stage, including preventive measures, secure data transfer, and breach management.
  • Additionally, you must outline clear procedures and establish proper organizational structures to oversee and enforce these cybersecurity practices effectively.
Work with me
gdpr cybersecurity European union flag

What is the GDPR and is it applicable to you?

As a reminder, the General Data Protection Regulation (GDPR) is a data protection regulation in the European Union that sets guidelines for the processing of personal data to ensure privacy.

It is applicable to you if you have a business relationship with customers based on one of the GDPR countries, regardless of where the company is located.

Therefore, even if you are based in the US, you are required to comply with the GDPR if you have customers living in the EU/EEA.

Non-compliance with the GDPR can lead to significant fines, as illustrated by this article with examples of GDPR principle violations and penalties.

GDPR cybersecurity preventive measures

Article 5(f) of the GDPR requires that you protect personal data using appropriate security measures to prevent unauthorized access or data loss.

To comply with this requirement, consider implementing the following preventive cybersecurity measures:

  • Data Encryption: Encrypt personal data both when stored and during transmission to ensure it remains confidential and is protected from unauthorized access
  • Access Control: Implement strict access controls, using strong passwords or multi-factor authentication (MFA) to prevent access from unauthorized parties
  • Data Anonymization: Apply anonymization to to transform personal data into a form that cannot be traced back to an individual, which will limit the exposure of personal data
  • Third-Party Collaborators: Ensure that third-party collaborators implement adequate security measures. This is even more important if you collaborate with third-parties located in non-GDPR countries.
female programmer coding and typing on white keyboard

Regular detection and monitoring systems

The GDPR emphasizes the importance of protecting personal data, and a key component of this is your cybersecurity detection and assessment system.

This means that you should regularly monitor and evaluate your security measures to identify potential vulnerabilities and threats to personal data.

Here are some effective cybersecurity measures you can take:

  • Regular Risk Assessments: Conduct regular cybersecurity risk assessments to identify vulnerabilities and mitigate risks before they lead to data breaches
  • Regular Software Updates: Keep all software up to date to protect against known cybersecurity threats and vulnerabilities
  • System Monitoring Tools: Use tools to scan and monitor your systems for unusual activity and potential security breaches
  • Penetration Testing: Regularly perform penetration testing to identify weak points in your system and address them proactively

By detecting breaches quickly and assessing their impact, you can respond effectively to minimize damage.

Proactively managing these cybersecurity risks not only ensures GDPR compliance but also builds trust with your customers by keeping their personal data safe and secure.

Effective reporting system for personal data breaches

Under the GDPR, you are required to have an effective reporting system in place to respond to data breaches swiftly.

In the event of a breach, it is crucial to act quickly to report it to the relevant authorities and, in certain cases, notify the affected individuals. Therefore, you need to establish clear procedures for identifying, documenting, and communicating about data breaches.

Some information your data breach policy could include are:

  • Detection systems: In this section, you can describe the systems you have in place to detect data breaches immediately when they occur
  • Impact Assessment: Here, you can outline the systems you would use to assess the impact of a breach and determine if it involves personal data that needs to be reported
  • Timing: Report breaches to the relevant authorities within 72 hours, as required by the GDPR so you should indicate that in your policy as well
  • People to be notified: List the people to be notified (e.g., authorities, customers in the case where the breach could affect their rights)
  • Documentation: Maintain records of all data breaches, even if they don't require reporting, for accountability and future reference in case your company gets audited.

By having an effective data breach reporting system, you ensure GDPR cybersecurity compliance, protect your organization's reputation, and maintain the trust of your customers.

Secure data transfer system

A secure data transfer system is essential for complying with GDPR cybersecurity requirements.

This means you need to implement measures that protect personal data when it is shared or transferred, whether internally or externally. This is especially important if you are transferring data to non-GDPR countries.

  • Encryption: Use encryption to protect personal data during transmission
  • Secure File Transfer Methods: Implement secure protocols such as SFTP (Secure File Transfer Protocol) or FTPS (FTP Secure) to safely transfer data over the internet
  • Virtual Private Networks (VPNs): Use VPNs to establish secure, encrypted connections for transferring data between remote systems and networks
  • Data Masking: Use data masking techniques to protect sensitive data by replacing it with fictional data
  • Secure Email Communication: For sensitive transfers via email, use encryption tools (e.g., PGP or S/MIME) to ensure email content is secure. Don't use bulk email methods (such as BCC), as you could be fined for negligence.
  • Secure Cloud Storage: Use secure cloud storage solutions to store and share data safely
  • Logs: Maintain detailed logs of all data transfers to track who accessed or transferred personal data
  • Data Integrity Checks: Perform data integrity checks to ensure that no unauthorized modifications are made to the data during transfer
  • Secure APIs: If transferring data via APIs, ensure they are secure

By implementing these secure data transfer measures, you not only meet GDPR requirements but also safeguard your customers' data from unauthorized access or breaches.

programmer screen terminal
male programmer coding and typing on white keyboard

DPO and GDPR organizational structure

Having an effective organizational structure can really help implementing GDPR cybersecurity measures and ensuring GDPR compliance.

A Data Protection Officer (DPO) is required for larger organizations and is responsible for ensuring GDPR compliance and acting as a point of contact for national authorities and customers.

For smaller structures, though, a DPO might be too costly. In that case, you should still ensure that you have an organizational structure that promotes GDPR compliance.

This means

  • Clear role assignments: Make sure that the employees responsible for managing GDPR compliance understand their role regarding data protection
  • Encourage cross-department collaborations: All the employees should work together to ensure GDPR compliance
  • Employee Training: Provide training to employees on cybersecurity and GDPR compliance
  • Communication channels: Set up clear communication channels
  • Procedures and documentations: Have clear data protection procedures and documentations employees can refer to

Conclusion

By adopting preventive cybersecurity practices, setting up clear procedures for data breaches, implementing secure data transfer protocols, and establishing a clear organizational structure, you can mitigate risks and effectively comply with the GDPR Security Principle.

However, be sure to check with an expert or attorney to ensure your compliance strategy is thorough and up-to-date.

Disclaimer: This article is written by Valine Mayer-Trinh, a New York attorney with an LLM degree from Cornell and master’s degrees in business and financial law from top French law schools.

While I strive to provide accurate and up-to-date legal information, this article is for general informational purposes only and does not constitute legal advice. This is a platform for me to express my thoughts and reading this article does not create an attorney-client relationship.

Although I have extensive education in French law, please note that I am only licensed to practice in New York, not Europe. The legal landscape is complex, new regulations may emerge, and the application of existing laws can vary depending on specific circumstances. Therefore, I strongly encourage you to consult with an expert and qualified attorney to address your specific legal concerns.

Newsletter

Get more insights straight to your inbox







person subscribing by pressing on a blue technology button featuring a justice scale