Ireland’s Data Protection Commission has published guidance on data security.

Key Takeaways

  • The most effective means of mitigating the risk of lost or stolen personal data is not to hold the data in the first place.
  • A data controller should always know what personal data they hold, where it is held and how it flows through the organization.
  • Data processors are subject to the same security obligations as data controllers.

Access Controls

  • A data controller has a duty to limit access to personal data on a “need to know” basis and regularly review access controls.
  • Multiple independent levels of authentication may be appropriate where administrators have advanced or extra access to personal data or where they have access or control of other’s account or security data.
  • There should be strict controls on the ability to download personal data from an organization’s systems.

Additional Items Discussed:

  • passwords
  • automatic screensavers
  • encryption
  • antivirus
  • firewalls
  • software patching
  • protection for remote access
  • wireless networks and portable devices
  • log and audit trails
  • incident response plans
  • physical security
  •  the human factor

Read the full text of the guidance.