The requirement to process personal data securely is a key principle of the GDPR. In order to meet this obligation to secure data, the GDPR says that organizations must use “appropriate technical and organizational measures” to protect personal data.
Technical and organizational measures are the physical and digital processes, procedures, or controls put in place to protect personal data both at rest and in transit, and also to detect when those measures have been compromised. This can include policies for governing what employees can and cannot do with personal data, policy monitoring, responsibilities around safe digital practice, access controls, firewalls, incident and event logging, and monitoring technologies.
So far, so simple. But, when you dig into the details, things get a little complicated.
While the broad language in the GDPR gives some flexibility to account for different risks, which may present themselves due to the uniqueness of data processing in any given organization, determining whether the technical and organizational measures taken are “appropriate” is difficult. If something does ultimately go wrong and the appropriate supervisory authority subsequently subjects your business to an audit or an investigation, their idea of what would have been considered “appropriate” may be very different to yours. For example, what constitutes “state of the art” when it comes to security? And, in the case of a data breach, you may end up with a regulator demonstrating the benefit of hindsight by (perhaps unfairly) assuming that something—your selection of controls, for instance—must not have been appropriate to preventa breach that occurred.
So, what can you do to mitigate the risk?
When implementing controls for your organization, it is important to take a risk-based approach to protect data and to mitigate risks associated with areas such as:
1. Data Type- You should assess the types of data held and attribute risk ratings depending on the sensitivity of the data, the potential risks, and freedoms of data subjects.
2. Data Source- You need to assess whether there are any risks associated with the collection of the data or the method of the collection. For example, if you are collecting personal data through your website, you must apply security measures on the website to protect the data while it is being collected.
3. Data Storage- You should assess every risk associated with data storage and apply controls based on the method of storage used (i.e. local storage, cloud storage, hard copy storage, etc). The controls should include but not be limited to technical controls such as access controls, encryption and firewalls, and organizational controls such as policies and procedures dictating where data should be stored (e.g. designated storage drives) coupled with training to ensure that those with access to data know the rules governing its use and protection.
4. Data in transit- Data will be transmitted at one point or another during the data lifecycle. It is therefore important to note when and where the data may be transmitted during the data lifecycle and apply controls that are appropriate to the risk. For example, as a minimum requirement every supervisory authority expects personal data and passwords to be encrypted or protected before it is sent to an external source along with additional organizational measures to be in place to support the process (e.g. a policy that passwords to encrypted files must not be sent by email).
5. Other processing activities- This will include how your organization uses the data you collect. You will need to account for the risks to the data while it is being used within the business, which may include technical and organizational measures restricting what software / systems can be used to process personal data along with measures to prevent access to the data from unauthorized sources.
When accounting for these risks, it is vital to account for human error. Do not get stuck in the trap of narrowing your vision of risk to only include potential external attackers. Much of the risk associated with personal data will be caused by employee errors and mistakes, with the majority of data breaches being caused by human error rather than sophisticated attacks, or exploitation of humans within sophisticated attack methods. It is, therefore, important to understand the common errors often made by individuals and the measures that can be implemented to reduce those errors.
"Every supervisory authority expects personal data and passwords to be encrypted or protected before it is sent to an external source along with additional organizational measures to be in place to support the process"
Once you have completed the risk assessment you should have a good idea of the threats you face and the associated risks to personal data. In turn, that will allow you to properly assess what technical and organizational measures should be put in place to reduce those risks (this will inevitably involve a necessary investment of time and money to implement a control structure, which is proportionate and appropriate when it comes to responding to the risk).
Finally, it is extremely important to record the organization’s rationale for measures it applies and the reasons for applying those measures based on the risks present. Many organizations omit this step, which leaves them with little by way of evidence to demonstrate that they have implemented controls deemed to be “appropriate” at that time. Such a record is not only core to satisfying the accountability principle; it facilitates ongoing reconsideration of the risk assessment to account for changes and new information becoming available (which is an organizational measure in and of itself). Having this information in your back pocket if a Supervisory Authority comes knocking can make all the difference.