My recent posts in this series have discussed best privacy practices for the hypothetical software company BizConnect. These practices have included: a) drafting a GDPR compliant privacy policy; b) self-certifying under the Privacy Shield for transfers of EU personal data; c) adopting GDPR model clauses for transfers of EU personal data; and d) deciding whether to conduct a DPIA and/or adopt a Code of Conduct.
This post discusses why BizConnect should draft an internal written data security plan as well as consider obtaining SSAE-18 audit reports, and a Business Continuity Plan.
Data privacy and security are two sides of the same coin. The GDPR aims to incentivize companies to carry out the necessary security reviews to ensure that personal data is protected to the extent reasonably possible. Article 32 of the GDPR addresses the security measures required by data controllers and data processors. It does not mandate any specific standard rather it calls for “appropriate technical and organizational measures to ensure a level of security appropriate to the risk…”
These technical and organizational measures (often referred to as TOMs) should be part of a company’s written security plan. This plan can be updated periodically as well as serve as the foundation for internal training of employees on appropriate security practices. It must be a living document and accurately reflect the company’s security practices rather than an inspirational plan.
Why a Written Security Plan?
The written security plan dovetails with GDPR’s Data Protection Impact Assessment (“DPIA”). Every data controller or data processor may not be required under GDPR to produce a formal DPIA but every company should carry out a data mapping exercise, which analyzes the personal data flows. The data mapping exercise is a necessary pre-condition to drafting a meaningful DPIA as well as a comprehensive written security plan. The written security plan actualizes the steps necessary to address any gaps and weaknesses identified in the data mapping document.
Who:
Senior management should oversee and monitor the drafting of the security plan but it will need to be carried out by knowledgeable IT experts either within the company or contractors for the company. A company’s privacy team should include not only the privacy officer and IT but the business units like marketing and HR where security incidents are likely to originate.
This team should regularly report to senior management on how well the company is managing their security plan including training, incident response, and where necessary data breach notification to appropriate regulators and affected individuals.
What:
There is no mandated template for a written security plan under the GDPR. If you are a manager working with IT security (internal or external), some of the topics to consider addressing in a written security plan include: access controls; technical and organizational measures (TOM), intrusion detection, disaster recover, testing, physical security, reliability and backup, and incident management. For more detail about these topics, click here.
BizConnect:
BizConnect is the hypothetical software services company featured in these series of privacy practices blogs.
BizConnect has drafted a written security plan following the topics listed above. It conforms with their data mapping exercise and forms the basis for training company employees and contractors on data breach notification and data subject request simulations.
What is Pseudonymization and Anonymization?
These terms refer to the levels of de-identification of the personal data and whether it is practically possible to re-identify the person connected to the data. With anonymization it is not possible to re-identify data subjects whereas with pseudonymization the data controller (or processor) retains the ability to re-identify the data subjects.
Anonymized data is not subject to GDPR. Pseudonymized data is subject to GDPR but the data controller (or data processor) has more latitude on the use of that data.
What is SSAE-18?
SSAE-18 is the current audit standard set by the AICPA – American Institute of Certified Public Accountants. The former standards were called SAS 70 (until 2011), and SSAE-16 (until 2017).
What is a Type 1 and Type 2 report?
These audit standards test the internal controls of the enterprise. A Type 1 report looks at the internal controls in a moment in time whereas the Type 2 report measures it over a specific period of time like six months.
What is SOC 1 and SOC 2?
SOC means “service organizational controls.” A SOC 1 report focuses on financial reporting controls whereas SOC 2 reports focus on non-financial reporting controls including security, availability, processing integrity, confidentiality and privacy of a system. These criteria are known as the Trust Services Principles. Whether a customer requests a SOC 1 or SOC 2 report depends on whether the data they are sharing with the vendor affects their financial controls or not. If it does, they would likely request a SOC 1. For their data privacy and security concerns, they would request a SOC 2 report.
BizConnect:
BizConnect has some customers who contractually require that BizConnect provide a SOC 2 report. Many small companies do not have the resources to carry out the SOC 2 audit. It can cost $20,000 or more by a qualified CPA firm. BizConnect hosts its data on Amazon Web Services (AWS). AWS has passed the SOC 1 and SOC 2 audits and can provide the applicable reports to its customers. The enterprise customer may accept the AWS report and not require BizConnect to obtain their own report. This will depend on whether BizConnect is actually handling any of the customer’s personal data.
What is a Business Continuity Plan?
This is a document that outlines how the enterprise will respond to mitigate the effects of any internal or external disruption of its operations. These can certainly include cyberattacks as well as natural disaster or human error.
BizConnect:
BizConnect’s large financial enterprise customers have requested that BizConnect have a Business Continuity Plan in place. Many customers will provide their own form, which the vendor can review and modify as needed to ensure that it complies with the requirements. This is a good exercise for any enterprise whether or not their customers require it.
It is also a good idea for an enterprise to stage a simulation of an external event like a cyberattack or natural disaster to ensure that all members of the enterprise are familiar with their roles and responses in such a situation.