GDPR Checklist - Information security checklist

Article ID: 2845
Last updated: 31 Oct, 2019


Step 1 of 5: Management and organisational information security

1.1 Risk management

Your business identifies, assesses and manages information security risks.

Before you can establish what level of security is right for your business you need to review the personal data you hold and assess the risks to that information.

You should consider all processes involved as you collect, store, use, share and dispose of personal data. Also, consider how sensitive or confidential the data is and what damage or distress could be caused to individuals, as well as the reputational damage to your business, if there was a security breach.

You can then begin to choose the security measures that are appropriate for your needs.

In addition, as part of a data protection by design approach, you should conduct a data protection impact assessment (DPIA) in specific circumstances to assess privacy risks. You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk you need to screen for factors that point to the potential for a widespread or serious impact on individuals.

1.2 Information security policy

Your business has an approved and published information security policy which provides direction and support for information security (in accordance with business needs and relevant laws and regulations) and is regularly reviewed.

A policy will enable you to address security risks in a consistent manner. This can be part of a general policy or a standalone policy statement that is supported by specific policies.

Your policy should clearly set out your approach to security together with responsibilities for implementing it and monitoring compliance.

You should have a process in place to ensure that you review and approve policies and procedures before implementing them and set review dates when required.

It is good practice to have a template document in place, which outlines the agreed style that all policies, procedures and guidance documents must follow and communicate this to relevant managers and staff.

1.3 Information security responsibility

Your business has defined and allocated information security responsibilities and has established a framework to coordinate and review the implementation of information security.

It is good practice to identify a person or department in your business with day-to-day responsibility for developing, implementing and monitoring your security policy. They should have the necessary authority and resources to fulfil this responsibility effectively. For larger organisations, it is common to appoint 'owners' with day-to-day responsibility for the security and use of business systems.

Without clear accountability for the security of systems and specific processes, your overall security will not be properly managed or coordinated and will quickly become flawed and out of date.

1.4 Outsourcing

Your business has established written agreements with all third party service providers and processors that ensure the personal data that they access and process on your behalf is protected and secure.

Many small businesses outsource some or all of their data processing requirements to hosted (including cloud based) services.

There must be a written contract between you (the controller) and the service provider /processor (or other legal act). These contracts must include certain specific terms, as a minimum, including security standards. As controller, you are liable for overall compliance with the GDPR and for demonstrating that compliance. However processors do have some direct responsibilities and liabilities of their own. You must be satisfied that any processors you use treat the personal data they process for you securely, in line with the requirements of the GDPR.

You must choose a third party provider or processor that gives sufficient guarantees about its security measures. To make sure they have appropriate security arrangements in place, you might, for example, review copies of any security assessments and, where appropriate, visit their premises.

The contract with the processor must include a term requiring the processor either to delete or return (at your choice) all the personal data it has been processing for you. The contract must also ensure it deletes existing copies of the personal data unless EU or member state law require it to be stored.

If you use a third party service provider or processor to erase data and dispose of or recycle your ICT equipment, make sure they do it adequately. You will be held responsible if personal data collected by you is extracted from your old equipment if it is resold.

Step 2 of 5: Your staff and information security awareness

2.1 Training and awareness

Your business has regular information security awareness training for all staff, including temporary, locum or contracted employees, to ensure they are all aware of and fulfil their responsibilities.

You should brief all staff on their security responsibilities, including the appropriate use of business systems and ICT equipment. You should also train your staff to recognise common threats such as phishing emails and malware infection, and how to recognise and report personal data breaches.

You must ensure that staff with specific security responsibilities or with privileged access to business systems are adequately trained and qualified.

You should schedule training to take place on or shortly after appointment with updates at regular intervals thereafter or when required. You should also reinforce training using other methods including intranet articles, circulars, team briefings and posters.

Well-designed security measures will not work if staff do not know about or follow business policies and procedures. You should make policies and procedures available to all staff using staff intranet pages, policy libraries or through leaflets and posters.

It is good practice to circulate new information or updates through bulletins or newsletters.

Step 3 of 5: Physical security

3.1 Secure areas

Your business has entry controls to restrict access to premises and equipment in order to prevent unauthorised physical access, damage and interference to personal data.

You should implement entry controls including doors and locks, and protect premises by alarms, security lighting or CCTV. You should also control access within premises and supervise visitors. You should locate servers in a separate room and protect them by additional controls.

3.2 Secure storage

Your business has secure storage arrangements to protect records and equipment in order to prevent loss, damage, theft or compromise of personal data.

All your staff should lock away paper records and mobile computing devices when not in use. Also, you should encourage staff to promptly collect documents from printers, fax machines and photocopiers, and switch devices off outside business hours. Ideally, you should implement secure printing.

3.3 Secure disposal

Your business has a process to securely dispose of records and equipment when no longer required.

All your staff should securely dispose of paper records by shredding. If you use a provider to erase data and dispose of or recycle your computers, make sure they do it adequately. You may be held responsible if personal data collected by you is extracted from your old equipment, if it is resold.

Step 4 of 5: Computer and network security

4.1 Asset management

Your business has identified, documented and classified its hardware and software assets and assigned ownership of protection responsibilities.

It is important to actively manage all the hardware and software your business uses. You should identify and document all office or home based equipment, servers and mobile devices that you are using to process or store personal in an appropriate hardware inventory / register. The asset inventory must also include information on whether the device is a portable and/or personal device. Similarly you should also identify and document all systems and applications processing or storing personal data in an appropriate software register. The software register should include software licence details, latest versions in deployment and details of all patches applied.

Then, for each of the identified assets, you should assign ownership of the asset and identify the security classification.

You should identify, document and implement the rules for the acceptable use of hardware or software (systems or applications) processing or storing information.

These inventories will assist you in creating device and application white lists for approved devices and software / applications.

You should undertake periodic risk assessments of hardware and software asset inventories / registers and c physical checks to ensure the accuracy of the hardware asset inventory eg 'floor to book' exercises.

You must have procedures to ensure all employees (permanent and temporary staff) and third party users return all hardware assets upon termination of their employment, contract or agreement.

4.2 Home and mobile working procedures

Your business ensures the security of mobile working and the use of mobile computing devices.

Mobile working can involve the storage and transit of personal data outside the secure boundaries of your business. Mobile computing devices (for example, laptops, notebooks, tablets and smartphones) are vulnerable to theft and loss, and there are confidentiality risks when using devices in public places.

You should therefore assess the risks of mobile working (including remote working where mobile devices can connect to the corporate network) and devise a policy that sets out rules for authorising and managing mobile working.

4.3 Secure configuration

Your business configures new and existing hardware to reduce vulnerabilities and provide only the functionality and services required.

The default installation of ICT equipment can include vulnerabilities such as unnecessary guest or administrative accounts, default passwords that are well known to attackers, and pre-installed but unnecessary software. These vulnerabilities can provide attackers with opportunities to gain unauthorised access to personal data held in business systems.

You should securely configure (or 'harden') ICT equipment on installation. Maintaining an inventory of ICT equipment will help you identify and remove unnecessary or unauthorised hardware and software.

4.4 Removable media

Your business has established controls to manage the use of removable media in order to prevent unauthorised disclosure, modification, removal or destruction of personal data stored on it.

Removable media (for example, CD/DVDs, USB drives, smartphones) is highly vulnerable to theft or loss, and uncontrolled use can lead to data breaches.

If there is a business need to store personal data on removable media, you should implement a software solution that can set permissions or restrictions for individual devices as well as entire classes of devices.

You should minimise and encrypt personal data.

4.5 User access controls

Your business assigns user accounts to authorised individuals, and manages user accounts effectively to provide the minimum access to information.

Your business assigns user accounts to authorised individuals, and manages user accounts effectively to provide the minimum access to information.

4.6 System password security

Your business has appropriate password security procedures and 'rules' for information systems and has a process in place to detect any unauthorised access or anomalous use.

Users' access credentials (eg a username and password or passphrase) are particularly valuable to attackers. A 'brute force' password attack is a common threat so you need to enforce strong passwords, regular password changes, and limit the number of failed login attempts.

You should enable and actively encourage your staff to choose a strong password.

You should also monitor user activity to detect any anomalous use.

Having multiple passwords for different systems can be difficult for staff to remember however it is important that passwords are not written down or recorded in accessible locations or systems logs.

You should promptly disable passwords when staff change duties or leave your business.

4.7 Malware protection

Your business has established effective anti-malware defences to protect computers from malware infection.

Computers can be infected with malware (for example, viruses, worms, Trojans, spyware) via email attachments, websites and removable media. This can result in the loss or corruption of personal data.

You should install malware protection software which regularly scans your computer network to detect and prevent threats. You need to keep the software up-to-date and educate your staff about common threats.

4.8 Backup and restoration

Your business routinely backs-up electronic information to help restore information in the event of disaster.

You should take regular back-ups to help restore personal data in the event of disaster or hardware failure. The extent and frequency of back-ups should reflect the sensitivity and confidentiality of the personal data and how critical it is to your business being able to operate. Ideally, you should keep back-ups in a secure location, away from your business premises, and regularly test the restoration of personal data to check its effectiveness.

4.9 Monitoring

Your business logs and monitors user and system activity to identify and help prevent data breaches.

Monitoring and logging can help your business to detect and respond to external threats and any inappropriate use of information assets by staff.

You should continuously monitor inbound and outbound network traffic to identify unusual activity (for example, large transfers of personal data) or trends that could indicate an attack. Your systems should be capable of logging who has accessed records containing personal data so you can perform regular monitoring to confirm only authorised members of staff have accessed the information.

Monitoring and logging must comply with any legal or regulatory constraints, including data protection legislation. For example, you should make staff aware of any monitoring.

4.10 Patch management

Your business keeps software up-to-date and applies the latest security patches in order to prevent the exploitation of technical vulnerabilities.

Most popular software products contain technical vulnerabilities that can be exploited by attackers to gain unauthorised access to personal data held in your systems.

You should use the latest versions of operating systems, web browsers and applications, and ensure you update these regularly to help prevent the exploitation of unpatched vulnerabilities.

4.11 Boundary firewalls

Your business has boundary firewalls to protect computers from external attack and exploitation and help prevent data breaches.

Attackers can gain unauthorised access to personal data if you do not protect the boundary between your computer network and the internet.

You should install a firewall to monitor and restrict network traffic based on an agreed set of rules. A well configured firewall is your first line of defence against external attack and can help to prevent data breaches, for example, by blocking malware or hacking attempts.

You should also minimise the impact of data breaches by segmenting and limiting access to network components that contain personal data. For example, your web server should be separate from your main file server. If your website is compromised then the attacker will not have direct access to your central data store.

Step 5 of 5: Personal data breach management

5.1 Incident management

Your business has effective processes to identify, report, manage and resolve any personal data breaches. You have appropriate training in place to ensure staff know how to recognise and what to do if they detect a personal data breach.

The GDPR introduces a duty on all organisations to report certain types of personal data breaches to the ICO and, in some cases, to the individuals affected.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Personal data breaches may arise from a theft, an attack on your systems, the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure.

You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.

You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the ICO or affected individuals.

5.2 Your business has a procedure in place to report a breach to the ICO and to affected individuals, where necessary.

You have to notify the ICO of a personal data breach unless it is unlikely to result in a risk to the rights and freedoms of individuals.

If unaddressed such a breach is likely to have a significant detrimental effect on individuals. For example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

You have to assess this on a case by case basis. For example, you need to notify the ICO about a loss of customer details if the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list would not normally meet this threshold.

Your breach notification must contain:

  • A description of the nature of the personal data breach including, where possible;
  • The categories and approximate number of individuals concerned;
  • The categories and approximate number of personal data records concerned;
  • The name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach;
  • A description of the measures you have taken, or proposed to take, to deal with the personal data breach
  • Where appropriate, the measures you have taken to mitigate any possible adverse effects.

You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay. It may not always be possible to investigate a breach fully within that time-period and so you can provide information in phases.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly and without undue delay.

You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

  • The name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;  
  • A description of the likely consequences of the personal data breach;
  • A description of the measures you have taken, or propose to be take, to deal with the personal data breach and including, where appropriate, the measures you have taken to mitigate any possible adverse effects.

Even where a breach doesn’t need to be reported, you must document the breach including the facts relating to the breach, its effects and the remedial action taken. This is part of your overall obligation to comply with the accountability principle, and allows us to verify your organisation’s compliance with its notification duties under the GDPR.

5.3 Your business has procedures in place to effectively investigate the cause(s) of a breach and implement measures to mitigate future risks.

However a breach occurs it is important that you deal with it effectively and learn from it. You should have a process to investigate and implement recovery plans.

Ideally, you should monitor the type, volume and cost of incidents to identify trends and help prevent recurrences.

Article ID: 2845
Last updated: 31 Oct, 2019
Revision: 7
Views: 1828
This article was:  

Also listed in
folder GDPR Centre