Information Security Standards for SMEs under EU’s GDPR
The European Union (EU) law General Data Protection Regulation (GDPR) will be enforced on May 25, 2018. GDPR being is an EU law, will be effective beyond EU’s physical borders as it is also applicable to organizations based outside the EU that either process personal data of staff or customers based in the EU or provide services to EU customers on behalf of another company.
“Any information relating to an identified or identifiable natural person” – of EU residents has to be secured irrespective of the size of the firm. Even SMEs are expected to make appropriate adjustments on their end. A risk-based approach is required in this scenario, higher the risk, the more rigorous the Information Security measures.
In a white-paper “Guidelines for SMEs on the security of personal data processing” published by ENISA (European Union Agency for Network and Information Security), said “The GDPR provisions for a risk based approach is horizontal as there are not exemptions or light weight approaches based on the organization size, availability of resources and capabilities”.
Similar to large enterprises, SMEs, therefore, have to identify the level of risk of personal data of EU residents, taking into consideration the nature, scope, type, volume and context of data processing and pro-actively implement security measures corresponding to the level of risk presented.
Article 32 “Security of processing” of GDPR states:
- “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: : (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; (c) the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
- “The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.”
Any organization(s) found to be failing to GDPR compliance may get a fine worth €20M or 4% of annual global revenue, whichever is higher.
At GigE, we offer Information Security solutions that are compliant with local and international standards and regulations. If you just want to know if you are compliant with GDPR, we can perform audits for you. Call +1-888-366-4443 to get in touch with us to see how we can help you be prepared!