Since data protection is all about “protection”, it was expected that GDPR would put a special emphasis on data security. On this note, a key principle under GDPR is processing personal data securely and giving the individuals the required protection.
However, such principle may be hard to tackle in practice because GDPR does not provide a universal recipe for its compliance. Instead, you have to determine your own security solution based on your own circumstances.
Just like that, the “How?” get’s central stage.
How much security is enough security?
Article 5 para. (1) (f) of GDPR requires that any processing activity be performed in a manner that ensures appropriate security of personal data, using appropriate technical and organizational measures.
Article 32 of GDPR further reflects the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Such risk-personalized approach and the specific “appropriateness” require and give value to a proper self-assessment of your organization and processing activities, in order to fairly determine your own security needs and your most suitable security measures.
According to ICO’s Security Guidance (the UK data protection authority), when making such assessment, you should consider the type of personal data and the way you use it in order to evaluate how valuable, sensitive or confidential it is, as well as the damage or distress that may be caused if the data was compromised, including if such data are held or used by entities acting on your behalf.
Such assessment is by itself a security measure, but there are many more that you should consider, both from an organizational and technical perspective (both physical and electronic). For example, ICO refers to firewalls, secure device settings, access controls, anti-malware, and software updates. Moreover, GDPR points out pseudonymization and encryption as two security measures that you may implement. Such measures are provided only as potential solutions that you may consider, without having an exclusive or mandatory nature in all cases. But the assessment still needs to be made.
In doing so, companies should not lose sight of organizational measures. This point was prominent in the first fine applied for a data breach in Romania in July 2019, where a hotel received a fine for mismanaging a printed version of a list of clients having paid for breakfast, which list was photographed and published online. The Romanian data protection authority held that the controller had failed to take steps to ensure that any natural person acting under its authority and having access to personal data does not process them except as instructed.
Why should you make a priority out of this security requirement?
An appropriate security level for your organization means that you will not only comply with the data security principle, but you may also be able to demonstrate that you are ticking the box of compliance with other GDPR requirements.
It will also make you better positioned to prevent a data breach, and if such occurs, it allows you to better manage it so as to mitigate or exclude your liability, including under GDPR.
For instance, the data protection authority must “reward” your compliance efforts on this matter when assessing the appropriate level of fine and lists “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them” as mitigating factor in this respect.
All things considered, building your appropriate security strategy may definitely be a (continuous) challenge in your organization, but it certainly has its usefulness beyond mere security.