GDPR and information security – 7 ways to improve information security


General Data Protection regulation (GDPR) was widely regarded as the toughest data protection law in the world. The law applies to companies that handle the personal data of EU residents, with the global nature of cloud platform like e-commerce, social media and mobile apps; GDPR can affect any company regardless of its geographic location. The law can applies to company or entity which processes data as part of the activities in EU or outside EU offering goods/services (paid or for free) or monitoring the individuals in the EU. Under the law, companies can be fine up to 20 million Euros or 4 percent of annual global revenue whichever is higher.

GDPR was effective on 25 May 2018 and since then more than 1100 reports of data breaches were reported to Data Protection Commission since it started vs a monthly average of 230 in 2017 before GDPR based on report by The Irish Times. The most recent data breach case was reported on 7 Sep 2018 where British Airway 380,000 customers credit card details were breached by “malicious” data breach from their website and mobile app. The key information that were breached includes, customer’s names, email addresses, credit card details like card numbers, expiry date and three digit CVV codes were stolen by hackers. The cost of this stolen data could be worth £21.5 million based on report from The Guardian.

In dealing with data breaches, while company can cast a big net (using technologies) to ensure that they are safe against cyber attack or hacking, but hackers typically need a small loop hole within the entire system to break in and exploit. Besides technology help, how can company adopt a comprehensive framework to ensure that they are resilient against an attack and if it happens what should they do, we listed 7 ways which companies can look at to protect their company information assets:

1. Ensure information security responsibilities are establish in the organization

The establishment of a person and team responsible to address information security risks in organization and projects.

2. Awareness of information security within organizations

Ensuring your staff and contractors are aware of your IT security policies and regulatory requirements in your country during on boarding and regularly provide this awareness training to them.

3. Establish an asset management process

Asset in this case not only means hardware, but all the soft assets like personal data, credit card details, supplier’s contracts and etc should be identified, managed and assign owner for each of these assets identified.

4. Adopt a risk management approach to information security

Use risk management approach to assess information security risks in all aspects of your organization activities and assets in relating to usage of information and review it on regular basis

5. Security in system acquisition, development and maintenance

To ensure that Information security is an integral part of the entire information system lifecycle from requirements analysis of new systems or enhancement to securing the system or services on public network. These includes code review, security testing on application and supervising and monitoring outsourced system development.

6. Managing your suppliers

To ensure that your information security requirements are agreed by your suppliers and documented. Your agreement with suppliers should address information security risk associated with information and communication technology services including products supply chain.

7. Information security incident management

GDPR required notification within 72 hours and in Singapore, Personal Data Protection Commission (PDPC) definition is ” as soon as practicable, no later than 72 hours”. The establishment of a formal incident management process is necessary to ensure effective and consistent process on reporting,  investigation, communication on security events and weakness.

At bodhi.gen, we offers services to help company assess their current information security risk using our comprehensive assessment framework and provide consultation and implementation activities to help company build a resilient framework for information security protection, please reach out to us to find out more.