Summary of the regulation step
- Storage should be encrypted at rest
- Data should be secure in transit
- Extract personal data to separate and control
- Consider Single Sign-on system
Examine your data storage for Personal Identifiable Information and seek to extract it from the core of your application. Data that can be managed separately allows for security, backup and removal of the data without affecting the data to day operations.
Examples can be of issues when the user's email address is used as the key to joining different transaction data that is needed for day to day operation. As personal data that might be requested to be removed, it could affect business operation.
Adding support for your database and files to be encrypted at rest. That communications between your own systems and partners should be over secure connections, such as "https" with secure certificates.
The privacy by design helps your data security as well as the customers. If data is secure it will be less likely that you are reporting data breaches to ICO and all your customers.
If you were to experience a cyber breach, the Information Commissioner's Office (ICO) will need to investigate your company.
Data breaches need to be reported to ICO and Partners
- Do you know what personal data your business holds and where it’s stored?
- Do all your employees know that they have a responsibility for data protection?
- Do you have processes in place to regularly assess your security posture?
- Would you know if an attacker resided in your network and how would you respond?
Do you have a GDPR process that you still have questions about?
Send me your thoughts, We can advise you on roadmap steps to production.