The EU General Data Protection is finally here, and things like data mapping, data protection impact assessment, consent management, and data subject rights have been on everyone’s minds leading up to its arrival. While these operational requirements are obvious for many companies, some others have flown under the radar. One in particular that we have received questions about from our customers at OneTrust is the requirement for appropriate security.
Security of processing
Security of processing is a foundational principle of the GDPR. Under Article 5(1)(f), personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
This principle is further incorporated in Article 32, which mandates the implementation of “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” It is this “appropriateness” that is so important, as it is clear that because the GDPR takes a risk-based approach, an organization’s security does not have to be “perfect” and there is also no “one-size-fits-all” solution. This provides a great deal of flexibility for organizations in forming their information security program, as it often calls for conducting a risk-assessment and risk-treatment process that is inherently subjective in nature. However, this can also lead to a high level of uncertainty for organizations who are trying to do the right thing.
Fortunately, several EU member state supervisory authorities have released guidance on this topic.
For example, the U.K. ICO has provided a checklist for controllers and processors to use to assess security in their organizations, along with guidance on what needs to be protected, the level of security that is required (spoiler-alert: it has to be “appropriate”), the measures that need to be considered, what to do if operating in a sector that has its own security requirements, and more. The ICO also recommends the “cyber essentials” baseline set of controls — firewalls, secure device settings, access controls, anti-malware, and software updates — as a “good starting point,” and then building a program out from there depending on the organization’s particular circumstances and risks.
France’s supervisory authority, the CNIL, has also published a guide to securing personal data, in which it places particular emphasis on the risk-based approach discussed earlier:
"Such an approach allows for objective decision making and the determination of the measures strictly necessary and suitable to the context. It is, however, often difficult, when you are not familiar with these methods, to apply such an approach to ensure that the required measures have indeed been implemented," the guide reads.
It proceeds to list “the basic precautions which should be implemented systematically” in a risk management context that includes the following four stages:
- Listing the processing of personal data, the data processed, and the media on which they rely.
- Assessing the risks generated by each processing operation.
- Implementing and checking the planned measures.
- Carrying out periodical security audits, with each audit producing an action plan “monitored at the highest level of the organisation.”
The CNIL even goes on to state that this process “could help to fill in the section on the risk assessment of the [DPIA]” and that “[i]nformation security risk management can be carried out at the same time as privacy risk management since these approaches are compatible."
In addition to regulatory guidance, there are also a number of pre-existing information security frameworks that can be leveraged.
For instance, the IAPP and OneTrust recently published a white paper identifying six main areas of common ground between the ISO 27001 standard and the GDPR, “intended to demonstrate how ISO 27001-certified organizations are well positioned to respond to many GDPR priorities.”
Although they come from different perspectives, ISO 27001 and the GDPR at their core are both about reducing risk to people and organizations caused by misuse of personal data, with demonstrable overlap in both principles and requirements.
Additionally, there is significant overlap with the AICPA Trust Service Criteria, which serves as the basis for the popular SOC 2 report; as well as with the Cloud Security Alliance Consensus Assessments Initiative Questionnaire, which is currently already mapped to Directive 95/46/EC. Other frameworks include the NIST 800-53, COBIT 5.0, and ENISA IAF.
Although not specifically tailored to the GDPR, these frameworks are still relevant as they have been well-respected and have served as industry-standards for many years and can be immensely valuable as part of establishing your overall security posture.
Strong security as a mitigating factor
Having a strong information security program can also be viewed as a mitigating factor for a supervisory authority calculating a potential fine. For example, under Article 83(2) of the GDPR, “the intentional or negligent character of the infringement” as well as “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them” are just two mitigating factors that a supervisory authority must take into account when deciding on an administrative fine. In other words, being able to show that you have an established information security program with industry standard measures, as opposed to being asleep at the wheel, should hopefully go a long way in the eyes of a supervisory authority.
According to the U.K. ICO, “[i]nformation security is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.” This is a key point, as compliance efforts tend to result in chopping up the GDPR into different requirements and tasks to complete. Therefore, as we enter into this new age of data protection, we should remember that the GDPR is, at its core, about just that: protecting personal data.
If you want to comment on this post, you need to login.