In this third part of our series on the technology assessment required for the GDPR implementation, we are looking into access control and security.
Within this series, we have shared insights into technical areas we often analyse for our clients in the private and public sector, such as:
- Assessment of data flow, transfer, and sharing
- Assessment of data storage, retention, and deletion
- Assessment of access control and security
- Assessment of access procedures, policy, and legal contracts
Assessment of access control and security
Data on a cloud/server is generally accessed remotely through different security protocols such as:
- Secure Socket Shell (SSH) which uses public-key cryptography for authentication
- Two-Factor Authentication (2FA) requiring a password and a time-sensitive code sent to a mobile device
Another element to assess is the access management, e.g., removing access to staff that have left, limit access to specific roles or allow access on a time-limited basis.
Such security controls feed directly into the GDPR requirements to integrate appropriate technical security measures to protect data and mitigate the liability of the data controller when (not if) they suffer a data breach.
Numerous national Data Protection Authorities have specified that they will use the GDPR as a lever to improve the information security profile of businesses within their jurisdiction.
Our GDPR service offering includes:
- Data Protection Impact Assessments of existing and proposed technologies, leveraging both our technical and data protection expertise
- Assessment and updating existing privacy notices and consent requirements for our clients
- Assessing the legal basis for processing our clients’ businesses rely upon, and assessing and updating their policies and procedures
Data Protection Impact Assessment (DPIA)
Trilateral provides compliance roadmaps and DPIA templates for organisations, as well as train their staff to complete these activities, thereby assisting them to manage their future compliance costs.
Do you really need a Data Protection Officer (DPO)?
We provide an external DPO service for businesses and organisations who do not need or cannot currently justify, employing a full-time internal DPO.
For more information please contact our team.