Since data protection is all about “protection”, it was expected that GDPR would put a special emphasis on data security. On this note, a key principle under GDPR is processing personal data securely and giving individuals the required protection.
By Roxana Ionescu, Partner and Head of Data Protection, NNDKP & Marta Tudor, Associate, Data Protection, NNDKP
However, such principle may be hard to address in regular practice because GDPR does not provide a universal recipe for its compliance. Instead, you have to determine your own security solution based on your own circumstances.
Just like that, the “How?” gets central stage.
How much security is enough security?
Article 5 para. (1) (f) of GDPR requires that any processing activity be performed in a manner that ensures appropriate security of personal data, using appropriate technical and organizational measures.
Article 32 of GDPR further reflects the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the varying degrees of likelihood and severity to the rights and freedoms of natural persons.
Such risk-personalized approach and the specific “appropriateness” require and give value to a proper self-assessment of your organization and processing activities, in order to fairly determine your own security needs and your most suitable security measures.
According to ICO’s Security Guidance (the UK data protection authority), when making such assessment, you should consider the type of personal data and the way you use it in order to evaluate how valuable, sensitive or confidential it is, as well as the damage or distress that may be caused if the data was compromised, including if such data are held or used by entities acting on your behalf.
Such assessment is by itself a security measure, but there are many more that you should consider, both from an organizational and technical perspective (both physical and electronic). For example, ICO refers to firewalls, secure device settings, access controls, anti-malware and software updates. Moreover, GDPR points out pseudonymisation and encryption as two security measures that you may implement. Such measures are provided only as potential solutions that you may consider, without having an exclusive or mandatory nature in all cases. But the assessment still needs to be made.
In doing so, companies should not lose sight of organizational measures. This point was prominent in the first fine applied for a data breach in Romania in July 2019, where a hotel received a fine for mismanaging a printed version of a list of clients who had paid for breakfast, list that was photographed and published online. The Romanian data protection authority held that the controller had failed to take steps to ensure that any natural person who acted under its authority and had access to personal data does not process them except as instructed.
Why should you make a priority out of this security requirement?
An appropriate security level for your organization means that you will not only comply with the data security principle, but you may also be able to demonstrate that you are ticking the box of compliance with other GDPR requirements.
It will also better position you to prevent a data breach; and if such occurs, it will allow you to better manage it so as to mitigate or exclude your liability, including under GDPR.
For instance, the data protection authority must “reward” your compliance efforts on this matter when assessing the appropriate fine and lists “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them” as a mitigating factor in this respect.
All things considered, building your appropriate security strategy may definitely be a (continuous) challenge in your organisation, but it certainly has its usefulness beyond mere security.