The General Data Protection Regulation (GDPR) replaced the Data Protection Directive on May 25, 2018. The GDPR contains a number of new protections for EU data subjects, introducing significant fines and other penalties for non-compliance.
Although many of the protections relate to data protection practice, data security does play a larger role in the new Regulation which imposes stricter, more specific, obligations on both data processors and controllers with regard to data security. It also contains some controls and guidelines regarding what happens in the event of a data security breach.
Appropriate technical and organisational measures
While it’s important to remember that this regulation is focussed on data privacy rather than security (and therefore doesn’t give a specific list of security related controls) it does mandate that both controllers and processors are required to:
“implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
Types of security control
The GDPR goes further than the legislation it replaces, suggesting what kind of security controls might be considered “appropriate to the risk,” including:
• The pseudonymisation (in essence a “reversible” anonymization) and encryption of personal data
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. These are the fundamental building blocks of any data or information security programme
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
It’s worth noting that the above does imply that business processes relating to data or information security must exist – so only having a set of controls (such as security software or periodic training) without a process to ensure these are adequate and effective will not be enough.
Data processor security
When controllers are selecting processors they must only engage those that provide “sufficient guarantees to implement appropriate technical and organisational measures” to meet the requirements of the GDPR.
To make this easier controllers and processors that adhere to either an approved code of conduct or an approved certification may use these tools to demonstrate compliance with the GDPR’s security standards.
However, these “approved” certifications of codes of conduct are yet to be defined – but perhaps will include relevant ISO standards and/or industry certifications. Without these then some form of external security audit seems the only way of achieving compliance.
But what happens if security goes wrong?
Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
In the event of a personal data breach, data controllers must notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
Importantly notification is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,” a phrase that will require some further clarification from the data protection board in time.
If a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation under the GDPR.
If the controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected data subjects “without undue delay.” Of course where the beach involves many data subjects this is likely to be an extremely expensive penalty in itself…
However, the good news is that the GDPR provides for exceptions to notification where:
1. The controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”.
2. The controller takes immediate action after the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to happen.
3. When notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used – Note this is yet to be defined and is unlikely to be an easy way to avoid an expensive communication programme.
While it’s true that breaches of security don’t attract the highest fines under the legislation they can still be up to 10 Million Euro’s or 2% of Global Turnover – whichever is the greater – so getting security right makes good commercial as well as moral sense.
By Peter Galdies, Development Director, DQM GRC
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.