|
|
|
|
|
|
by chomp
3013 days ago
|
|
|
Regulations like this usually draw from other sources for inspiration. So if your company is subject to other regulations (like PCI-DSS), then these really vague sentences start to seem more concrete. 1.) Make sure your software has all vendor-supplied patches. 2.) When personal data is being processed, keep it in RAM. 3.) When personal data is at rest, ensure that it's on a locked-down system and safe. Encryption at rest is called out in GDPR, but it's not required. (The definition of "locked-down" can fill a couple paragraphs, but consider it like SOX - only give access to employees that need it as part of their job title. Block off all access for everyone else - network, physical, logins). 4.) Make sure that all systems that store/receive/transmit personal data are audited and logged, and do not give out access to people unless they absolutely require it. (Anonymize data for BI, developers, business reports when able) |
|
|