Serb Natlfed

Main Menu

  • Home
  • Serbian finance
  • Serbian banks
  • Serbian economy
  • Serbian loans
  • Financial affairs

Serb Natlfed

Header Banner

Serb Natlfed

  • Home
  • Serbian finance
  • Serbian banks
  • Serbian economy
  • Serbian loans
  • Financial affairs
Serbian loans
Home›Serbian loans›Risk assessment in GDPR – right or wrong measures?

Risk assessment in GDPR – right or wrong measures?

By Corey Owens
September 17, 2021
0
0


When we were advising organizations on how to bring their businesses into compliance with the GDPR, that is, Serbian Personal Data Protection Law, we often received responses indicating that organizations were applying “security best practices.” some information “. What does this formulation mean?

To our knowledge, such wording often represents an excuse for non-compliance with the GDPR. Controllers and contractors should carry out an information security risk assessment and assess the risks of business activities (processing activities) to personal data (assess the security of processing personal data) in order to be able to respond to the risks to personal data and risks to the rights and freedoms of data subjects, i.e. applying adequate technical, organizational and legal measures to mitigate the identified risks to an acceptable level.

Those familiar with the application of information security, the Data Protection Directive and the GDPR understand that information security is the predecessor and the cornerstone of personal data protection. The security of information systems is an integral part of GDPR compliance because information security systems are essential means for the processing of personal data.

To protect confidential business information, the efforts of the business community and information security experts have resulted in the adoption and implementation of information security standards. Organizations that had and still have a business interest in protecting confidential business information could and still can apply the requirements set out in information security standards to secure their information systems. The efforts of these organizations are expected to result in certification with information security standards, such as ISO / IEC 27001 – Information Security Management Standard (ISMS) from 2013. The key issue in the certification process is that an independent accredited body verifies the state of the art of the information security system. and approves the security measures in practice. Certification means that any organization and its business partners can rely on such a certificate and be confident about the level of information security.

However, organizations do not need to have an ISMS certificate to adequately protect their information security systems. The prerequisites for adequate protection of information security are that an information security risk assessment based on an adequate risk assessment methodology is carried out and that adequate measures commensurate with that risk assessment. are implemented. We have advised organizations to apply the methodology defined in ISO / IEC 27005: 2018.

When we first started receiving information from the organization that it uses “security best practices” to protect its security information system, we were a little confused. We were confused with the meaning of such wording and how “security best practices” can be applied to specific business environments where information security risks vary in each case. To cope with a specific level of information security, organizations must apply an acceptable risk reporting methodology, and what information security measures commensurate with the assessed risks must be applied. Without information, security risk assessment, no “best security practice” can be verified in practice. When we started to analyze the state of the art of information security within organizations, we came to the conclusion that everyone “follows security best practices”. We felt that organizations were “hiding” information security measures, practices and possible security loopholes due to the competitive market. However, the GDPR significantly changes this practice and requires the organization to report data breaches to the supervisory authority. Most organizations have information security policies, but have never formally assessed information security risks. Using “security best practices” without assessing information security risks is the same as when organizations use “know-how” that does not match their actual needs. For example, when an organization applies technical measures, such as firewalls, computer and network scanners, IDS / IPS systems, real-time log file scanners, real system vulnerability scanners and the like, these measures may be unnecessarily overpriced and not relevant to reality. information risks. In addition, organizational, operational and personal measures can be just as effective but much cheaper than technical measures.

On the other hand, with the rapid development of information technology and the processing of personal data, the main stakeholders in Europe have come to the conclusion that the WSIS does not sufficiently address the protection of personal data (mainly deals with business data information) and therefore adopted the GDPR. For example, ISMS has nothing to do with processing personal data or profiling or monitoring the behavior of data subjects. The crucial difference is that ISMS helps organizations implement a system to protect information security, while GDPR focuses on how to use the information security system to protect personal data.

This concept is summarized in article 24 of the GDPR:

“Take into account:

i) the nature, scope, context and purposes of the processing;

ii) risks of varying probability and severity for the rights and freedoms of individuals

the controller implements the appropriate technical and organizational measures to guarantee and be able to demonstrate that the processing is carried out in accordance with this Regulation.

These measures are reviewed and updated as necessary.

When proportionate to the processing activities, the measures include the implementation of appropriate data protection policies by the controller.

In addition, when they require data controllers and processors to ensure processing security, which means not only the security of the information itself, but the security of any form of processing of personal data, i.e. how the information security system is used to process personal data, GDPR defines that, when assessing the appropriate level of safety, particular account must be taken of the risks that are presented by the processing, in particular against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

These provisions should be interpreted as follows:

In addition to assessing information security risks, supervisors must take into account additional sources of risk for personal data (in the GDPR: not only information security risks, but, in addition, the security of the processing of personal data):

i) Nature of processing – whether automated, semi-automated or manual. Automated processing or profiling can lead to high risks for the rights and freedoms of natural persons, such as discrimination;

ii) Scope of processing, i.e. whether personal data is processed on a large scale or not;

iii) Processing context, i.e. context of an organization that processes personal data, for example, the risk is greater in an organization that sells goods online than in those that only produce food for animals;

iv) The purposes of the processing, which means that different purposes of the processing may entail risks of different level for personal data;

v) The organization should assess the “risk of varying likelihood and severity to the rights and freedoms of individuals”, i.e. the likelihood and severity of the impact of the risk (breach of confidentiality, integrity and availability of personal data) multiplied by the likelihood and severity of the risk occurring (from four main business areas: information technology, transformation activities, people involved in transformation and the production sector itself). In addition, organizations should assess how violation of the confidentiality, integrity and availability of personal data may affect the rights and freedoms of data subjects.

For the risk assessment for personal data (processing security), we apply the same risk assessment methodology as for the information security risk assessment, but with a focus on the security of the processing.

Example:

i) Nature of processing: automated processing or profiling of customer personal data in part of the processing;

ii) Organizational context: a bank;

iii) Scope of transformation: one of the major players in the market;

iv) Purpose of processing: to take decisions on loan granting applications.

v) Whether the violation of the confidentiality, integrity and availability of customers’ personal data is low, medium, high or very high and how these violations may affect the rights and freedoms of data subjects.

Based on the risks identified in the two risk assessments (information security risk assessment and processing security risk assessment), we recommend and support organizations to implement organizational, technical and adequate legal framework to mitigate the identified risks to an acceptable level.

Only when organizations implement adequate organizational and technical measures commensurate with the assessed risks, can they say they are GDPR compliant.


Related posts:

  1. Veljko Paunovic makes Reading FC transfer admission ahead of summer window
  2. 6 Liverpool stars put up for sale by Jurgen Klopp in the transfer window
  3. EEC Markets – Warsaw Stocks to 15-Month High, Exchange Rate Cools
  4. Serbian real estate market growth seems unstoppable

Categories

  • Financial affairs
  • Serbian banks
  • Serbian economy
  • Serbian finance
  • Serbian loans

Resent Posts

  • Montenegro seeks money to build the second phase of the highway
  • Premier League 2022-23 preview, tips and predictions, and claim £30 FREE BETS with Sky Bet’s new season special
  • Air Serbia will launch a dozen new “exotic” routes and destinations
  • Italian stars learning on the job as Toronto FC complete marathon week in MLS – Toronto
  • Father of Serbian talent Hamad Medjedovic thanks Novak Djokovic for his help – ‘In 2021 he paid for everything’

Archives

  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • Privacy Policy
  • Terms and Conditions