Delivering on security - programmes, people, paperwork
A strong security programme is board-endorsed, multidisciplinary, and connects with data protection and legal staff. Practitioners find the meaning of 'appropriate measures' by consulting external sources (NIS Directive, ENISA, NCSC, ISO 27000, PCI DSS, NIST). People are central - the insider threat is managed across the whole employment lifecycle. The security paperwork matters hugely: a layered approach of policy → controls → operating procedures supports policy-based regulation, which regulators prefer because it is cheaper and quicker than operations-based regulation.
Successful programmes are guided by a board-endorsed vision and a holistic, multidisciplinary steering function drawing on key executives. The data protection professional must be properly connected to security experts, who advise on the threat landscape, security maturity and controls. To understand 'appropriate technical and organisational measures', practitioners look beyond the legislative text to: the NIS, ePrivacy, Cybercrime and PSD2 directives; output of WP29, EDPS and ENISA; the NCSC; national cyber plans; regulator guidance and enforcement decisions; and standards such as the ISO 27000 series, PCI DSS, CBEST and the NIST framework.
- Illustrative controls: firewalls and perimeter security; antivirus and malware protection; endpoint protection and data loss prevention; intrusion prevention/detection; identity and access management including multi-factor authentication; backups (against ransomware); SIEM
- People: manage the insider threat across the whole lifecycle - risk-assessing the role, recruitment and vetting, offer/contract wording, induction, continual and role-based training, proportionate monitoring (which the EDPB says needs a DPIA), and secure offboarding
- Penetration testing by 'ethical hackers' is expected - the ICO has cited a lack of pen-testing in enforcement actions
- Physical security: entry control, CCTV, lock-and-key, clean-desk policies, business continuity and disaster recovery
| Layer | What it contains | Secure-data-transit example |
|---|---|---|
| Top - Policy statements | High-level statements of the controller's position on security | 'This company will ensure the security of personal data in transit' |
| Middle - Controls | How the policy is achieved; one policy can have many controls | All laptops protected by full hard-drive encryption; all USB sticks encrypted |
| Lower - Operating procedures | The actual steps to deliver the controls; one control can have many procedures | Detailed laptop ordering, encryption, registration and six-monthly testing process |
Regulators prefer policy-based regulation - examining paperwork is cheaper, quicker and more certain than operations-based regulation (inserting people into a controller's premises). Inadequate paperwork can itself give grounds for a finding of non-compliance, even on an anticipatory basis.