NOTE: What might appear to be a lengthy article below is a mere summary of requirements as set out in the GDPR. The reader might be well advised to supplement this content with further detailed material as supplied, for example, by the Article 29 Working Party.
The content below covers the following:
Organisational security measures
Technical security measures
In order to meet their organisational and operational objectives, SMEs are increasingly, depending on Information Technology (IT) networks, systems and applications, while many have an online presence, offering digital services to their customers. They do so by establishing their own IT infrastructure and/or by relying on third party services and technologies, such as those of cloud computing services. The high volume of SMEs in the EU reflects on the high volume of data that are processed by them, much of which is personal data.
What does the GDPR say?
The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.
Security obligations of the GDPR
One of the core obligations for data controllers and processors in the GDPR is that of the security of personal data. Although the security of personal data has always been a legal obligation for data controllers under the Data Protection Directive, the GDPR reinforces the relevant provisions (both in substance and context), now extending this responsibility directly to data processors.
It is important to note that security (in the sense of integrity and confidentiality) is established as one of the principles relating to personal data processing (Article 5). This puts security at the core of data protection together with the rest of data protection principles, i.e. lawfulness, fairness and transparency, purpose limitation, accuracy and storage limitation. Following this general principle, the security of personal data processing is mainly mandated in Article 32.
…the controller and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk…
GDPR puts special emphasis on the notion of risk, establishing specific data protection parameters that need to be considered for its assessment. The security of processing should be considered within the overall GDPR accountability framework for data protection, which is risk-based and impact-based. Under such a framework, security measures can be seen on one hand as an obligation and, on the other, as a tool to implement other data protection obligations (e.g. those of data erasure and data subjects’ rights), especially in online environments.
Security risk management for the processing of personal data
The assessment and management of security risks is essential in information security, supporting the adoption of appropriate security measures. When applying this approach to personal data processing however, one needs to consider the specifics of such processing, which require a different type of approach both in the assessment of the risks, as well as their treatment, acceptance and communication.
The notion of impact: In the ‘typical’ risk assessment process, the risks are estimated based on their potential impacts to the organisation. In the case of personal data processing, however, the impacts are considered with regard to the freedoms and rights of individuals. This is a significant difference as it switches the analysis of impacts towards possible adverse effects that an individual may suffer, including for example identity theft or fraud, financial loss, physical or psychological harm, humiliation, damage to reputation or even threat to life.
The management of risks: Due to the privacy-specific notion of impact, the way that the identified risks are managed may also defer from the ‘typical’ risk assessment process. For example, even if the likelihood of a particular risk is low, a decision to accept the risk will not be the right choice when high impacts to particular individuals may occur (e.g. if it may cause them severe physical damage or threaten their life). While performing such analysis the scale (e.g. number of affected individuals) may not be relevant: the impact is high even if it may bring severe adverse effects only to a single person.
Therefore, in security risk management for personal data it is first of all important to define the overall context of the processing (e.g. types of personal data, purpose of processing, legitimate recipients, etc.), which will then support the definition of possible threats and risks based on the impact to individuals.
Assessing security risks for personal data
The assessment of risks is the first step towards the adoption of appropriate security measures for the protection of personal data and the approach should be based on:
Definition of the processing operation and its context.
What is the personal data processing operation?
What are the types of personal data processed?
What is the purpose of the processing?
What are the means used for the processing of personal data?
Where does the processing of personal data take place?
What are the categories of data subjects?
Who are the recipients of the personal data? (The GDPR defines ‘recipients’)
Understanding and evaluation of impact.
The organisation needs to evaluate the potential impact to the rights and freedoms of individuals that a security incident (related to the data processing system) might bring. The security incident may be associated to any type of breach of confidentiality, integrity or availability of personal data.
Define and describe your impact levels – e.g. Very high, High, Medium, Low;
Evaluate the potential impact by looking at the type of personal data, the criticality of the processing operation, any special characteristics of the controller / processor and special characteristics of the data subjects
Definition of possible threats and evaluation of their likelihood (threat occurrence probability).
In the context of this discussion, a threat is any circumstance or event which has the potential to adversely affect the security of personal data. At this step, the scope for the organisation is to understand the threats related to the overall environment of the personal data processing (external or internal) and assess their likelihood (threat occurrence probability). They are related to four main dimensions of this environment, namely:
Network and technical resources (hardware and software);
Processes/procedures related to the data processing operation;
Different parties and people involved in the processing operation;
Business sector and scale of the processing.
Evaluation of threat occurrence probability relating to the four dimensions listed previously.
Usually, three levels of threat occurrence probability are defined:
Low – the threat is unlikely to materialise.
Medium – it is possible that the threat materialises.
High – the threat is likely to materialise.
Organisational Security Measures
Security policy and procedures for the protection of personal data
The security policy is a high-level document that sets the basic principles for the security and protection of personal data in an organisation. It thus forms the basis for the implementation of all specific technical and organisational measures, according to Article 32, as also complemented by Article 24. The security policy shows the overall commitment of the organisation’s management towards security and data protection. It can be based on or form part of the organisation’s general IT security policy; in any case, it should explicitly address also the protection of personal data.
Roles and responsibilities
According to Article 32 (4), ‘the controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law’.
Therefore, as a first and basic control for the security of personal data, all the organisation’s jobs requiring access to personal data should have clearly defined and documented roles & responsibilities.
Access control policy
Following the definition of roles and responsibilities, it is essential to determine an access control policy to the systems used for the processing of personal data. This should be based on the ‘need to know’ principle, i.e. each role/user should only have the level of access to personal data that is strictly necessary for the performance of its relevant tasks. This is a central concept also in the GDPR and is closely related to the principle of data minimisation (Article 5(c)).
The proper management of hardware, software and network resources is essential for the security of personal data, as it allows control of the means of the processing (and, thus, control of the subsequent organisational and technical measures). Resource management as a minimum includes the registration of IT resources and network topology (which are used for the processing of personal data).
Change management aims at synchronising and controlling all changes performed in the IT system used for the processing of personal data. It is an important security measure, as an unsuccessful change attempt could lead to unauthorised disclosure, modification or destruction of data.
According to Article 28, ‘the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject’. The same Article states that the processing by the processor should necessarily be governed by contract or other legal act, setting also the minimum clauses that this should include and particularly referring to the security of personal data under Article 32.
Incident response and business continuity
Incidents handling / Personal data breaches
In the event of a data security breach, the organisation should asses if this leads to an “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4(12)). Controllers should make sure that they meet their obligations under Articles 33 and 34 regarding notification of a personal data breach to the supervisory authority and to the data subjects. Processors should also make sure that they meet their obligation under Article 33 for immediate notification of the data controller. In any case, both data controllers and processors should have appropriate procedures in place, not only for the notification of personal data breaches, but also for the overall handling and management of such events.
A business continuity plan (BCP) is essential for determining the processes and technical measures that the organisation should follow in case of an incident/personal data breach. As such it complements the security policy of the organisation, as well as its incident response plan. This measure is clearly related to Article 32, which mandates the ability (for the controller/processor) ‘to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident’.
Confidentiality of Personnel
In order to ensure confidentiality of personal data under Article 32, the organisation should ensure that its employees also provide sufficient confidentiality guarantees, both in terms of technical expertise and personal integrity. Moreover, according to Article 32 (4), ‘the controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law’. To this end, specific measures should be in place to ensure that the personnel involved in the processing of personal data are properly informed about their duty to confidentiality, as well as to guarantee that this duty is sufficiently stipulated in the organisation’s human resources policies.
Personnel training in data protection and security procedures (e.g. use of passwords and access to specific data processing systems) is important for the right implementation of the organisational and technical security measures. Information on specific data protection legal obligations is also central, especially for key personnel involved in high risk processing of personal data.
Technical security measures
Access control and authentication
Access control and authentication are basic security measures for the protection against unauthorised access to the IT system used for the processing of personal data. They implement the access control policy of the organisation (see Section 22.214.171.124) by technically enforcing it into specific components and applications.
Logging and monitoring
The use of log files is an essential security measure that enables identification and tracking of user actions (with regard to the processing of personal data), thus supporting accountability in case of an unauthorised disclosure, modification or destruction of personal data. Monitoring of log files is important for identifying potential internal or external attempts for system violation.
Security of data at rest
Data at rest is data that is not actively moving from device to device or network to network such as data stored on a hard drive, laptop, flash drive, or archived/stored in some other way. Therefore, this category of measures is mainly related to the processing of personal data in databases or other relevant systems (including cloud storage). It also relates to the processing of personal data by employees with the use of specific workstations or other devices. GDPR recognizes the ability of pseudonymisation to help protect the rights of individuals while also enabling data utility. Under Article 32, one of the measures mentioned is the “pseudonymisation and encryption of personal data”.
Servers and databases consist the backbone of the information system processing personal data. They must be security hardened to ensure a secure operating environment.
This measure is mainly related to the security configuration of users’ workstations or other devices. It is important for enforcing specific security policies and restricting users from performing certain actions that could compromise the security of the IT system (e.g. deactivating of antivirus programs or installation of unauthorised software).
Network security is important for the protection of personal data, both with regard to external connections (e.g. to the Internet), as well interconnection with other systems (external or internal) of the organisation.
A back up system is an essential means of recovering from the loss or destruction of data. While some system should be in place, the frequency and nature of back up will depend, amongst other factors, on the type of organisation and the nature of data being processed. Under GDPR Article 32 the aspect the “ability to restore the availability and access to personal data” in part of the data security obligations for the data controller or data processor.
Mobile/Portable devices can extent the level of services offered by the data controller but increase exposure to theft and accidental loss. In the case of mobile devices, such as smartphones or tablets, users might also apply them for personal use and special care must be taken to ensure that business data is not compromised.
Application lifecycle security
During all phases of application development lifecycle, the organisation must ensure that data protection compliance, including personal data security, is taken into consideration. In Article 25 GDPR introduces the principles of data protection by design and by default which require data controllers to design and implement processing activities with data protection in mind while applying the strictest privacy settings.
The purpose of disposal/deletion is to irreversibly delete or destroy the personal data so that it cannot be recovered. The method(s) used must, therefore, match with the type of storage technology, including paper-based copies. When disposing obsolete or redundant equipment, the data controller must ensure that all data previously stored on the devices has been removed prior to disposal. According to Article 6 GDPR personal data should not be retained for longer than necessary in relation to the purposes for which they were collected, or for which they are further processed. In some cases, data subjects are also entitled to request deletion prior to the end of the maximum retention period.
Physical security is equally important to the technology-oriented security measures as physical access to the information system can be the foundation for the overall security strategy.
While large organisations usually have the means to respond to and appropriately implement these requirements, SMEs do not always have the necessary expertise and resources to do so. In many cases it may prove difficult for SMEs to assess and manage the risks associated with personal data processing. The GDPR provision for a risk-based approach is horizontal and there are no exemptions or light-weight approaches that are based on the organisation size, availability of resources and capabilities. Similar to larger organisations, SMEs have to identify the level of risk, depending on nature, scope, context of processing along with the types and volumes of data processed.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018