Security measures in GDPR
What the GDPR says
The GDPR imposes a general obligation of security of personal data. This obligation stems from Article 5 1. f) and Article 32.
Article 5 1. f)
Personal data must be [...] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) | the pseudonymisation and encryption of personal data;
(b) | the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) | the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) | a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In France, the Data Protection Act also recalls this requirement in its article 4.
Thus, each processing operation must be subject to a set of security measures decided according to the context. These obligations are therefore always adapted to the particularities of the processing and to the risks that it presents for the rights and freedoms of the data subjects.
Article 32 intends to remind that all these security measures taken can reduce the risks for individuals. They thus preserve:
▶ The rights and freedoms of individuals,
▶ The organization's information assets,
▶ The organization's reputation.
While risks to people are rapidly changing (change in nature, different probability and severity, etc) security measures must be integrated in order to reduce the risks to people including over time.
NB: since security is a continuous process, it is advisable to update and control the installed procedures regularly**.
Let's go a step further and find out what Article 32.1 of the GDPR tells us:
"The controller and the processor are obliged to implement the appropriate technical, organizational measures to ensure a level of security adapted to the risks, and in particular: pseudonymization and encryption of personal data, means to ensure the confidentiality, integrity, availability, constant resilience of the processing systems and services, means to restore the availability of and access to personal data within appropriate timeframes in the event of a physical or technical incident, a procedure to test, analyze, regularly evaluate the effectiveness of technical and organizational measures to ensure the security of the processing. "
Thus, through the extension of responsibility by the GDPR, these security obligations fall on the controller but also the processor. Finally, these measures protect individuals, but also their data: we are talking about integrity, confidentiality and availability of data.
Reduce the risks
The obligation of security must be understood in a global manner, from the angle of 3 principles allowing to reduce the risks:
▶ Principle of confidentiality
▶ Principle of integrity
▶ Principle of availability
Each principle will prevent a multitude of risks. For example:
- Unauthorized access for data confidentiality,
- Unauthorized modifications for data integrity,
- Data inaccessibility for data availability.
The sources of these risks can be multiple, and are calculated according to the probability of the risk occurring and the impact it could have if the risk became a reality.
Examples of risks** :
Risks can be internal or external.
Stakeholders** (employees, visitors, competitors) by mishandling data can accidentally or deliberately increase the risk of leakage, theft, loss, etc,
The risk can come from malicious attacks**, organized crime or others,
The risk can also come from failures, disasters, incidents, voluntary actions...
In short, every data processing operation can easily be subject to security risks which justifies the implementation of security measures.
Some examples of security measures are suggested by the GDPR but not mandated:
▶ The encryption of data: only the sender and the recipient can access the content. Once encrypted, one must have the specific key, otherwise the message is inaccessible and unreadable.
▶ The pseudonymization: replace an identifier, or more generally personal data, by a pseudonym. It is still possible to re-identify the person by combining the pseudonym with other information (thus different from anonymization).
The organization is thus obliged to take measures. There are 3 types of measures:
▶ physical or "physical" measures: locking doors, etc. ;
▶ logical or "software" measures: antivirus, password ;
▶ organizational measures: procedure, security governance.
This involves facilitating access to the premises, while guaranteeing data security.
Examples of measures :
Installing anti-intrusion alarms, with verification
Distinguish building zones according to risks, for example rooms housing servers,
Physically protect computer equipment,
Install locks in each office,
Install locks in each office, etc.
▶ Adopt a strict password policy for workstation access.
Unique user IDs per user and prohibit shared accounts.
Require strong passwords
Temporarily block account access after multiple failed authentications.
▶ Secure workstations.
Automatically lock down workstations after a short period of inactivity.
Control the use of USB ports on sensitive workstations.
▶ Trace access to the active database and the various archives.
Make actors responsible by creating a procedure for tracing actions on files.
Regular control of traces via automated detection of suspicious actions.
▶ Protect the internal computer network and servers from external attacks.
Regularly updated firewalls and antivirus software.
Secure channels and authentication systems for remote connections
Limit access to administrative tools and interfaces to authorized personnel only.
▶ Anticipate the risk of data loss or disclosure.
Perform regular backups and store them at a separate site.
Protect logging equipment and logged information.
Systematically encrypt data stored on mobile devices (USB keys, smartphones, computers, etc.)
These are complementary to the physical or logical measures, and structure and create the procedures for the application of the chosen security measures.
▶ Data access control policy.
Define procedures to be followed for each movement of personnel (arrival, departure, or change of assignment).
Conduct regular reviews of the rights granted to users
Provide for checks to be carried out in the event of a request from a third party to transmit data (e.g. police services, etc.).
▶ Make users aware of the conditions of data use.
Distribute and have each user sign a computer charter, which reminds them of the conditions of use of computer equipment and personal data.
Regularly make users aware of internal and criminal rules, and of existing threats (breaches, cyber-manipulation, etc.).
Document data exploitation procedures, update them and make them available to users.
▶ Define a policy for managing incidents involving personal data.
Establish a procedure in case of theft/loss of personal data (people to notify, filing a complaint, etc).
Provide for the referent(s) to be notified in the event of a breach of data integrity, confidentiality, and availability.
▶ Provide for regular audits of procedures and processing.
Identify relevant processing for regular internal or external audit,
Establish a follow-up of the implementation of the measures recommended following the audits,
Establish criteria for reviewing risk analyses (deadlines, technological advances, publicized flaws, etc.).
The Dutch supervisory authority imposed on May 12, 2021 a penalty of 525,000 euros on a Canadian company that had no representative in the E...