July 18, 2017

GDPR Guidance: How to Identify Security Risks and Better Protect Confidential Data


Many security experts say rights protection has not kept up with the implementation of new technologies and as a result, personal information is more at risk than ever.

The new General Data Protection Regulation (GDPR) will address the issue in different ways including a Data Protection Impact Assessment (DPIA) requirement in the workplace. The GDPR is replacing the Data Protection Act for countries that are part of the European Union, and it goes into effect next May. But all companies, anywhere in the world, that process information about EU citizens must comply.

According to GDPR guidance papers, when a company is going to be handling personal data using new technologies in particular, the GDPR will require a Data Protection Impact Assessment (DPIA).

A DPIA will assess security risks involved in processing data. It is similar to the existing Privacy Impact Assessment (PIA) and Security Risk Assessment.

A systematic process is recommended because not only will it better protect data but it will document the entire process showing legislators as well as the workforce, business partners, and customers that the company is committed to information security. This may help reduce liability, negative publicity and damage to reputation too. 

Here is a guide to assessing all the security risks of personal information in a workplace based on GDPR regulations.

Step 1: Early-on in a project determine if there is a legal obligation to carry out a security risk assessment. Some examples of when a risk assessment is needed include a new project involving the use of personal data, new IT systems that store and access personal information, and data sharing with another company. 

Step 2: Identify what data management processes will be required and map out how the personal data, in digital or paper format, will be transmitted, routed, and stored throughout its lifetime. Create an actual diagram that shows how the information flows through the organization.

Step 3: Identify and evaluate all the potential security risks in the workflow. What are the high risk areas for a data breach? Who are the potential attackers and their motives?

Step 4: Make recommendations on how to remediate each risk at each step. Document safeguards and how they will protect confidential information from inappropriate disclosure.

Step 5: Implement all the safeguards to protect confidential and personal data against unlawful processing and disclosure. Safeguards should include:

  • IT controls including authentication processes, encryption, security software, access controls and others;
  • Comprehensive policies and procedures for document management and retention;
  • On-going training to educate employees about appropriate handling and protection of sensitive data (the protection of data in all forms must be prioritized in and out of the workplace);
  • Embedded workplace procedures such as Clean Desk Policy and a Shred-it all Policy;
  • Partnering with a document destruction expert for secure disposal of confidential information (secure shredding of paper documents and hard drives and e-media).

Start Protecting Your Business 

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.