We propose the most efficient way to comply with your legal obligations.
Since the entry into force of the General Data Protection Regulation (RGPD) and the (Spanish) Organic Law on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), those organizations that collect some type of personal data (responsible) and those that receive entrust or are hired to do some type of treatment with them (processors), they encounter a series of obligations, of which in particular we are going to refer to article 28 of the LOPDGDD:
Article 28. General obligations of the responsible and processor
1. Those responsible and processors, taking into account the elements listed in articles 24 and 25 of Regulation (EU) 2016/679, will determine the appropriate technical and organizational measures that must be applied in order to guarantee and prove that the treatment is in accordance with the aforementioned regulation, with this organic law, its implementing regulations and the applicable sector legislation...
What is peculiar at this point is that both, the Regulation and the Law, leave it to the discretion of those responsible and processors to decide what these appropriate measures should be, and how they can be accredited. We cannot doubt that the organizations that have already received penalties from the AEPD, such as Vodafone, EDP, Caixabank, BBVA or Equifax, were convinced that they had these appropriate technical and organizational measures in place. According to Business Insider, in the first half of this year 2021, more than 23 million euros have been filed in sanctions against telecoms, banks, airlines...
At LEET Security we offer a unique model to define which are these appropriate measures and to be able to prove their implementation. In our recent version of the rating methodology and control framework, we have incorporated the privacy regulatory contents, also taking the measures provided in the NIST privacy framework. With this, we have enriched the cybersecurity rating by providing it with a complementary privacy qualifier.
How does it work?
The first thing, as always, is to determine the level of risk or impact that an incident can cause according to the sensitivity of the information and the amount of data we handle. This, of course, is something that only the organization itself can and should do. Simplifying, we could classify your result in three levels: low, medium or high / critical. And consequently, determine what are the measures that should be established.
Well, here comes our control framework, which has the widest catalogue of technical, organizational, procedures and even physical security measures, organized in 5 levels, from a basic level, ‘D’, to the highest level, ‘A+’, which corresponds to extreme security. Following the previous simplification, we could associate the risk levels with adequate protection levels: thus, for a Low level, the measures corresponding to level ‘C’ can be selected, Medium level with B and for a High / Critical level, those of level ‘A’.
However, given that the rating gives levels to the Confidentiality, Integrity and Availability dimensions, as well as to each of the different sections in which the measures are classified, this correspondence could be done in a much more detailed way.
With this, the part of determining the appropriate measures can be considered completed. Now it would be left to guarantee and prove that such measures are available. And this is what the rating provides: the rating label and certificate guarantee that these measures are implemented and have been verified by LEET Security, as an independent professional entity, in the services that have been evaluated.
Finally, the complementary privacy qualifier that we mentioned indicates that compliance with all the practices linked to the data protection regulations corresponding to the level of rating obtained has been verified (in case of lacking any of them, the qualifier is not provided, but a degree or percentage of its achievement).
With your rating with a level corresponding to the established risk and the complementary qualifier of privacy, it cannot be guaranteed that you are free from suffering an incident, but if it does occur, you will be in the best condition to prove that you have acted with all due diligence in the processing of personal data. If you process data directly, obtain your rating label and certificate now. Or demand it if you contract the treatment with a third party or processor.
Suscribe to our newsletter here
You can follow us on twitter.com/leet_security