Have a plan and regularly test, assess and evaluate it
Having a cyber incident response plan is a significant step toward preparing for GDPR. Article 29 Data Protection Working Party, set up specifically to clarify parts of the GDPR, agreed that breach prevention and response is key to any security policy. Specifically, Article 32 of the law states that technical and organizational measures need to provide:
“(b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data on time in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”
We are all under pressure to meet our obligations under the GDPR (and DPA) and want to avoid the wrath of the regulator, that could include not only significant potential fines, but also the loss of the right to process data. An essential part of this obligation – one that is often overlooked – is the need for “regularly testing, assessing and evaluating”. Key to this is having a cyber incident response plan in place to define how you’d respond to a cyber incident, as well as the ability to test this plan to ensure that it is effective.
We recommend annual scenario planning workshops to review the threat landscape and revise both your crisis management plan and your cyber incident response plan accordingly. We also recommend annual or bi-annual immersive simulation exercises to put your team to the test and ensure that they are crisis ready. It is the only effective way to test your crisis preparedness and so to meet your obligations under the GDPR.