GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

GDPR - Documents

Establish an IT security policy

It is good for companies to establish an IT security policy, which is a central governing document that constitutes a good organizational security measure. 

What is a policy?

A policy is an overall government document, unlike a routine that describes how the work will be carried out in practice. There may be several routines that are established, in order to meet the objectives of a policy. A policy sets the direction, goals and vision. In other words, what the company wants to achieve and the importance of it. Keep in mind that a policy should be:

Overarching: A policy should set out the company’s overall objectives and vision in the specific area. It does not describe exactly what the company should do, but what applies. For example, if the company establishes a privacy policy and an IT security policy, it provides a good basis for complying with the rules of the GDPR.

Strategic: Routines are more likely to change over time, as there are more daily instructions and practical information. While a policy is more long-term and strategic. It helps, among other things, to point out the ambition for a specific area. There is room for adaptation, but the strategic direction does not usually change.

Easy to understand and concise: A policy should not be long and complicated to understand, because then you risk losing the entire purpose of the policy. It should be designed in a simple way, so that all employees understand it. In addition, it is easier to remember when it is shorter, which reduces the risk of errors. A policy should therefore have some key principles and then one or more routines to comply with them.

A routine describes how the staff should work in practice to comply with what applies according to a policy. 

What breaches of the GDPR can lead to an administrative fine?

An IT security policy is an organizational security measure

An IT security policy is a document that provides a framework for how the company should work in the IT environment in accordance with GDPR. Note that it is not a manual, such as a routine, but more a strategic governing document that is more comprehensive. Companies must take technical and organizational measures to comply with the GDPR and an IT security policy is a good organizational security measure. 

Benefits of establishing an IT Security Policy

  • Easier for employees to understand what the company is striving for. 
  • Reduces the risk of personal data breaches.
  • Clarify who will receive which permissions.
  • Helps the company understand what routines may be appropriate to meet the vision of the policy. 
  • A way to demonstrate compliance with GDPR in the event of a supervision.

Routines that are good for companies to have in order to comply with the IT security policy in practice

  • Sharing data internally. 
  • Onboarding and offboarding of staff.
  • Erasute of personal data.
  • Password management.

Key elements that are good to include in an IT security policy

Sensitive personal data according to GDPR

Purpose

Explain the purpose of the IT security policy and why it is important to have good IT security. In addition, it is good to include how the company should protect personal data throughout its life cycle, from collection to erasure. Include also that risk assessments and privacy by design are the basis for security.

What is the definition of anonymised data?

Roles and responsibilities

It is good to be clear in the policy on the roles and responsibilities within the company. For example, which departments are responsible for what, what responsibility the employees have to follow the policy, the management's responsibility and role, etc. By having clear roles, it reduces the risk of security gaps and streamlines the work.

Subjektivt integritetskänsliga personuppgifter

Eligibility management

It is useful to clarify that access permissions should be based on the principle of ‘need-to-know’, not ‘good-to-know’. In other words, only persons who need access to personal data in order to perform their tasks should be given access.

Handling of different devices

An IT security policy should include the management of mobile devices, such as the use of private mobile phones or laptops for work-related purposes. It is important to keep in mind that mobile devices are a common cause of personal data breaches. Therefore, it is good to include the importance of proper use in accordance with the internal procedures and overall objectives of the policy.

Measures that companies need to take to comply with GDPR

Processing of personal data breaches

Companies must handle personal data incidents correctly according to GDPR, as the company risks having to pay a fine otherwise. Therefore, it is good to include the importance of this, what constitutes personal data breaches, how reporting should be done, internal and external reporting, etc.

Subjektivt integritetskänsliga personuppgifter

Logging

Logging is a good action that most companies should take. For example, logging access to various IT systems. In addition, it is important to protect the logs from manipulation.

Technical security measures

Password management

Password management is an important security measure that all companies should work with. The IT security policy should therefore include the importance of secure password management.

Encryption

If the company encrypts personal data, it should be stated in the IT security policy. This usually occurs primarily when processing sensitive personal data or other privacy-sensitive personal data.

Antiviruses and firewalls

Antivirus protection and firewalls are common technical security measures and should be included in IT security policies if used.

Backup

Backup files are a common technical security measure to prevent the destruction of personal data. An IT security policy should include intervals for backup, allocation of responsibilities and what backup solutions the company has.

Organisational security measures

Data Processing Agreement

Companies often transfer personal data to a third party. In addition, in some cases it may be an operator in a third country. It is important to ensure that this is done in accordance with the GDPR. This means, among other things, that the company, which is the data controller, needs to enter into a written data processing (DPA) agreement when they engage a data processor.

Education

Employees should receive some form of training in order to be able to perform their duties properly and in accordance with applicable law. In addition, they should receive further training when, for example, they are about to take on a new job role. The IT security policy should include which roles may need which training.

Internet usage guidelines

Most employees use the internet in their work. For example, send emails or search for information online. It is important to teach employees how to use the internet safely through written guidelines, so that they can avoid phishing scams and visits of dangerous websites.

Learn more

Password routines that can be good for companies to have

It is good that employees use strong passwords, as this provides a good basis for protecting the personal data that the company processes from unauthorized access. The more important the personal data processed, the better password management is required. For example, it may be appropriate to implement two-step authorization or login through biometric personal data.

Want to learn more?

Read more
Scroll to Top