GDPR (13) Adequate security for personal data
So far, we have mostly looked at the GDPR guidelines for the actual processing of personal data, including the conditions under which you may process data and how to communicate properly with data subjects. In addition to this, the GDPR requires that you adequately protect the data against risks during processing and at all other times.
While earlier legislation already included an information security obligation, under the GDPR responsibility for information security, which used to be restricted to the controller, will also lie with every processor that handles personal data on the instructions of a controller.
In order to explain how you can comply with this obligation, we first need to consider what information security involves. Obviously, larger organisations and also companies that handle confidential data on behalf of their customers on a systematic basis, such as Group Joos, have plenty of experience in this area. There are many different standards for information security, of which the best known is ISO 27001, and a vast array of policy papers, procedures and operational instructions exist to help organisations and their management, which can be considered a ‘science’ in itself. Here, however, we will consider the basic principles.
In the first place, you need to identify the threats to which personal data (just as all other confidential data) are exposed and from which they require protection. Many people refer in this context to the CIA principles (any resemblance to a well-known US organisation is purely coincidental). In this case, CIA stands for confidentiality, integrity and availability. Information security guarantees the confidentiality, integrity and availability of data.
- Guaranteeing confidentiality means ensuring that data are not made public and do not end up in the hands of anyone except the intended recipient. We are all aware of notable examples of the theft of hundreds of thousands of credit card details or the publication of confidential documents by hackers. Data breaches can, however, take much smaller forms, such as a letter that ends up in the wrong letterbox or an e-mail that is sent to the wrong recipient, either deliberately or accidentally.
- Protecting the integrity of data means that no data may be wrongly changed or erased. Falsification may be a straightforward case of fraud. Hackers are able to manipulate data, but unintended changes are much more frequently the result of human errors made when writing software or configuring systems or applications.
- Finally, you need to guarantee the availability of the data. Measures such as backups or a disaster recovery plan are designed to ensure that data are not lost and can be viewed and processed when required.
An information security program helps you to take the necessary steps in a systematic manner. You need to be aware of the specific risks to which the data are exposed, and try to remove or limit these risks or reduce their impact.
The GDPR does not specify exactly which measures are required to ensure adequate security. This is because the appropriate approach depends on many aspects. On the one hand, the risks are not always the same:
- The impact of any data breach is determined by both the quantity of the data and their nature (special categories, sensitive data or identification data as opposed to quasi-public data).
- The nature of the processing operation itself may entail specific risks. For example, additional attention has to be paid to automatic data analyses that are used as a basis for decision-making.
- Exchanging or transferring data may create extra risks.
- The involvement of third parties in the processing operation may pose an additional threat.
- The same protection does not apply outside Europe (more specifically outside the EEA).
- The length of time for which data are kept can also play a role.
On the other hand, science and technology are not standing still. This means that what counts as adequate security today may no longer be considered adequate in two years’ time.
It therefore comes down to striking a balance. The costs and effort involved in taking specific measures must be proportionate to the nature of the data and the damage that could result if something goes wrong.
Larger organisations undoubtedly already apply a great many procedures. They formulate their policy on information security and have a management system in place, they identify the risks and consider whether they are acceptable, they draw up procedures and instructions, they perform checks and arrange for external audits to be carried out, and they analyse incidents and learn from how procedures work today so they can make improvements moving forward. All of these steps are incorporated in the standards of ISO 27001, for example.
If you already have a management system of this kind in operation, you will not need to take much additional action to ensure your information security is ready for the GDPR. Obviously, you need to ensure that all personal data are classified as confidential and that the procedures for handling confidential data are applicable to them. Some additional procedures will probably also be required to improve the arrangements for specific personal data processing operations. Apart from that, however, the general framework will be applicable.
Firms or organisations that are not well versed in information security face a much greater challenge. In the next instalments of this blog I will therefore provide tips on dealing with information security at small organisations, including how to minimise the risk of incidents involving personal data by developing practical procedures and implementing measures in a pragmatic way using common sense, and how to demonstrate that you have done this in an adequate manner.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).
If you have any questions or comments, please write to us at firstname.lastname@example.org.