The General Data Protection Regulation sets high requirements to the security of personal data against loss and unlawful processing. Please read here what this means for your organization.
Pursuant to Article 13 of the Personal Data Protection Act, (WBP) every organization who processes personal data must now take appropriate technical and organizational measures to protect personal data against loss and unlawful processing. Loss of personal data means that personal data are lost for the controller, for example if a data centre burns down or in case of erasure of a database caused by a human error, while no back-up has been made. If personal data are processed by persons from within or outside the organization who are not authorized to do so, for example through unauthorized access or distribution of personal data, this is called unlawful processing.
Although the terms ‘loss’ and ‘unlawful processing’ are no longer included in so many words, this security obligation will come back in article 32 GDPR after the entry into force of the General Data Protection Regulation on 25 May 2018. Pursuant to that article, both the controller and the processor must take appropriate technical and organizational measures to ensure a level of security that is tailored to the risk. The following examples of measures that must be taken, where appropriate, are included in Article 32 (1) GDPR:
- pseudonymisation and encryption of personal data;
- measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- measures aimed at timely recovery of the availability of and access to personal data in the event of a physical or technical incident; and
- establishing adequate procedures for periodically evaluating the effectiveness of the safety measures taken.
Article 32 GDPR does not require the controller and the processor to always take the strictest of security measures. The level of security must be geared to the risks associated with a specific processing of personal data. For example, if data with a more sensitive character are processed or the context in which these data are processed poses a greater threat to privacy, stricter requirements are set for the security of those personal data. The controller or processor must therefore make an assessment of the risks involved in the processing of specific personal data. A Privacy Impact Assessment (PIA), which will be discussed in more detail in a following episode of this blog series, is a proper tool for this. Subsequently, the controller or processor must take appropriate measures to manage these risks. What type of measures can be asked of the controller or processor will depend on all circumstances of the case. The following aspects play a role, inter alia:
- the nature of the personal data that are processed;
- the scope of the processing of personal data;
- the purposes of the processing;
- the possible threats;
- the seriousness of the consequences of a potential security incident;
- the chance that these consequences would materialize;
- the state of the art of the technology;
- the costs of implementing security measures; and
- the scope and financial possibilities of the organization.
As a rule, it would be fair to argue that if more security can be achieved with comparatively small additional costs, these must be regarded as ‘appropriate’, while costs which are disproportionate to the extra security that that they would obtain are not required. Finally, the security obligation of Article 32 GDPR constitutes an ‘ongoing obligation’. This means that the controller or the processor must demonstrably evaluate from time to time whether the security level, taking into account the aforementioned viewpoints, is still appropriate in view of the risks involved in the processing and nature of the data to be processed, or that additional measures are required to ensure the protection of personal data.
Technical security measures
As mentioned before, the controller or processor must take technical as well as organizational security measures. Technical security measures are technical protection measures designed to prevent or limit the loss or unlawful processing of personal data or to minimize the seriousness of the consequences thereof. This could include, for example:
- pseudonymisation and encryption of personal data;
- Two-way authentication;
- virus scanners;
- software against malware attacks;
- making periodic backups;
- software that will alert the controller or processor regarding any imminent expiry of a retention period.
An average entrepreneur will not have the required technical knowledge to ensure an appropriate technical security level. This, by the way, also applies to the average lawyer. This is why we advise our clients to hire a specialist. It goes without saying that the privacy team of Ten Holter Noordam advocaten will be happy to bring you in touch with ICT suppliers specialized in the technical security of personal data.
Organizational security measures
In addition to technical security measures, the controller or processor must also take organizational security measures. The controller must ensure that personal data will only be accessible to those persons within the organization who need the data for the performance of their duty. This could include, for example:
- limiting the group of officers with access to specific personal data to those persons who need the data for the performance of their duty;
- granting these persons access only to personal data that they need for the performance of their work;
- agreeing on a confidentiality clause – containing a penalty clause – with all persons who will be given access to personal data;
- storage of personal data on servers in an enclosed space;
- storage of hardcopies in lockable cabinets;
- creating information security awareness among employees;
- establishing crystal-clear protocols and procedures for a timely and effective handling of information security incidents and vulnerabilities within the security;
- adequate monitoring of compliance with protocols and legislation.
Please observe your processor agreement
If the controller outsources the processing of personal data to a third party (the processor), the controller must be able to ensure that the processor offers an appropriate level of security and the controller must also actively monitor this. The outsourcing of the processing of personal data must therefore not lead to a lower level of security. Pursuant to Article 28 (3 (c) GDPR, the processor agreement must therefore also lay down that the processor must take appropriate technical and organizational measures to ensure a security level that is appropriate for the risk. Under Article 28 (b) GDPR, it must also be laid down in the processor agreement that the processor must ensure that all persons who, in the course of their work, become aware of the personal data made available by the controller to the processor are bound by a legal or contractual confidentiality undertaking, which is a textbook example of an organizational security measure. For a further explanation of the minimum required content of a processor agreement, I would like to refer you to the blog of my colleague Emiel de Joode in an earlier episode of this series.