GDPR: An Important and A Stricter Regulation for Information Protecting Data in the Digital Age

GDPR and information security IS audit greentick


In today’s digital age, data breach inevitably happen. Information is released either into the hands of people who were never intended. To see it or to those who have malicious intent. Thus, under terms of GDPR not only do organisations have to ensure that personal data is gathered legally and under strict conditions, but also, those who collect and manage it are required to protect data from misuse, as well as to respect the rights of data owners or face penalties for not complying with the regulation.

Before moving ahead, one should understand what GDPR General data protection regulation and information security IS audit stands for. Yes, it is for data security and is in regulation by the European Parliament. This regulation was the reformation on the EU’s Data Protection Directive of 1995 as a result of the decision made by the European Commission in January 2012 in order to make European fit for the digital age, and also to give the EU citizens more control over their personal data.

However, after four years of working on full preparation and debate, it was finally published in 14th of April 2016 and came into effect from 25th of May 2018 throughout the EU. Hence, GDPR is a new set of rules applies to any organization having its business operation within the EU for information security IS and audit. As well as, those organizations who are located outside of the EU but have customers or businesses within the EU.

GDPR: An Important and A Stricter Regulation for information security IS and audit

This regulation is all about processing personal data and putting controls over the data where data owners have the right to know how organizations are using, processing and storing of their data. Organizations complying with the regulation should clarify the purposes and types of data processing. Who all have access to it in the organization, any involvement of third parties for accessing the data and if yes, where they are located, what measures are adopting by organization’s to protect the data and any plan to erase them? Here personal data means the data that include name, address, and photos of European Citizens and Residents, even IP address and sensitive personal data such as genetic, health and biometric data can be considered as personal data.

Since GDPR and information security IS audit revolves around protecting personal data. This regulation applies to any individual or entity either public or private. Which, alone or jointly with others determine the purposes and means of the processing of personal data called as CONTROLLER. And to any individual or entity either public or private which processes personal data on behalf of the controller is known as PROCESSOR. Thus, both the data handlers should comply with GDPR else if they fail then it can result in a fine ranging from 10 million euros to four per cent of the company’s annual global turnover depending upon the type of non-compliance.

Compliance with GDPR: Essential Steps to Follow

The maximum fine of 20 million euros or four per cent of worldwide turnover. Whichever is greater and a lower fine of 10 million euros or two per cent of worldwide turnover will apply to organizations that mishandled data by not complying with GDPR requirements. In order to avoid such circumstances, if organizations create  resources, processes, and people assuring for. That will ultimately get mature into day to day business operations.

    1. Appoint Data Protection Officer (DPO)for ensuring compliance with both the national and international regulations across the organization.
    2. Maintain document and provide legal justification for collecting, storing and processing personal data.
    3. Ensure the existence of updated and tested data breach response policies and programs to provide timely notification to regulators and consumers in the event of a data breach
    4. Perform audit of an organization to determine where all the personal data is.
    5. Identify who all have access to this data within the organisation including any third party’s involvement as well as review contracts with third parties to ensure proper safeguards and mitigate security risk.
    6. Put a restriction on access to personal data if it is require.
    7. Identify misconfigurations and vulnerabilities, which can use to get unauthorize access to it and ensure they are fixe up.
    8. Conduct regular monitoring of the organisation’s security system.
    9. Adopt technical measures of Pseudonymization and encryption for personal data. Also, organizational measures of limiting and erasing data which are no longer need or in other words, collect and retain personal data only to the extent necessary.
    10. Carry out regular testing of all the technical and organisational measures that have been implemented.
    11. Ensure prompt restoration of personal data in case of any technical or physical incident.
    12. Apply tools to exhibit compliance and adherence to data security standards.

Role of DPOs under GDPR

Data Protection Officers (DPOs) are responsible for educating the employees. Within the organization an important compliance requires and for training concern staff members. who are associate with the data processing. Performing regular security audits is another responsibility of DPOs. In addition, they act as a point of contact between the organization and supervisory authorities that oversee activities related to data collection and processing. However, it is not necessary that only staff members of the organization can appoint as DPOs. Even third party service can take to fulfil the role of DPOs. While selecting external DPOs, the organization should ensure that DPOs should have a thorough understanding of the business. In which they are appoint.

In addition, GDPR neither requires any special qualification to possess in order to gain DPOs title nor to be a technical person. Indeed, a person should be wise enough to understand the business implications and how to talk to and communicate with external people like supervisory authority. However, Article 37 under GDPR requires DPOs to have expert knowledge of data protection law and practices. Even information on the appointment of DPOs require to make public and provide to all regulatory oversight bodies.

GDPR Breach Notification

When the organization have an event of losing data, be it because of a cyberattack, human error or anything else, GDPR sets out a duty for the organization to report such data breaches to the relevant supervisory authority and customers without undue delay. While reporting, the organization require to include approximate data about the breach, the categories of information and the number of individuals compromised due to the occurrence of the incident. Not only that, but the organization also need to provide a description of the potential consequences of the data breach. Such as, theft of money, or identity fraud, and detailed actions that have taken to deal with the data breach and to counter any negative impacts of the data breach on individuals.

These descriptions need to provide to the relevant supervisory authority. Also to the victims directly within seventy- two hours of the event. Breach notification should communicate only on one-to-one correspondence with those affected. If the breach is serious enough to mean customers then the public must be notified.

Document Requirement by GDPR information security IS audit

In GDPR, there is no requirement of mandated documentation structure. Organization just need Top of Form to have a record of the approval process when they use to obtain the information. Records mentioning on how the design has been in implementation from obscurity perspective. And how has it been made core to the organization’s processes are needed. In addition, a process with an explanation on a breach needs to  form in order to meet supervisory authority’s requirements. However, all of the records are not mandatory at all, it is just about presenting organizations’  functional records. Which they maintain to align with their own set rules over the period. For running the business based upon industry standards.

Technological Requirement under GDPR information security IS audit

Since GDPR is based upon the European Union’s Data Protection Directive, technologies such as cloud-based, social networking, internet of things, machine learning were not available at the establishment of the Directive in 1995. Therefore, GDPR is ambiguous when prescribing solutions or technologies. To fulfil the compliance and yes, this is intentional as GDPR design for accommodating new and emerging technologies. However, this flexibility leaves many organizations lacking guidance on what technologies can facilitate in enabling GDPR compliance.

handle type of data

As organizations are very much aware that the cost of technology will vary. Based upon the type of data that organizations dealt with. So it needs to ensure that if they handle sensitive type of data. Then they will require the highest level of security controls. If ambiguity still occurs then it would be better to have a visibility assessment of what data exists within the organizational environment. Also, what types of personal data have been collecting, handling, and storing. Such an assessment assists organizations to have a deep understanding of the risk exposure. Also, helps to prioritize further compliance efforts in the aspect of technological requirements.

Now, if organizations think of complying with GDPR, they may have questions on functions/processes/departments should be in for compliance. And the answer here is that GDPR compliance must involve the entire organization. It is indeed applied to any function/process/department that handles personal data including the data of employees, contractors, suppliers and customers. Once organizations understand this fact, they can start to structure a plan. For the compliance that will satisfy the requirements of GDPR. The planning is done by asking  some basic questions around how and why they collect.

use the personal data

And also, use the personal data and the value it has to a given to particular function/process/department. Before they consider what need to ensure they can continue to work with it. After this step, it will naturally develop changes that is in need in the current business circumstances. And help in encouraging the support required to dedicate the resources and budgets to empower the change within organizations. However, one of the most challenging issues organizations may face with GDPR is planning for and standing-up. A multinational response team, including legal counsel, communications professionals, data breach resolution providers and forensic experts.


Aside from its challenges, based upon global experience with GDPR implementation, it has become a necessity in the fight against cyber-crime. The number of records breached each year is growing and the cybercriminals are always hunting for organizations’ personal data. If the GDPR implements and then the regulations puts much more responsibility on the data processors. And controllers to proactively implement security best practices, monitor customer information, and adopt Pseudonymization, and encryption techniques to protect sensitive information. Even though, this will be especially challenging for many organizations that are moving infrastructure and applications to the cloud. Where they will have less visibility and control. But still be fully responsible for the data in the cloud.