The General Data Protection Regulation ((EU) 2016/9679) (GDPR) came into effect on 25 May 2018. One of the key principles centres on integrity and confidentiality of personal data. Article 5(1)(f) of the GDPR provides that personal data shall be:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (emphasis added)”
The GDPR goes a little further than the previous data protection framework (that is, under the EU Data Protection Directive 95/46/EC) and provides some description of the technical and organisational measures expected to achieve a level of security appropriate to the risk associated with the processing of personal data (see Article 32 of the GDPR). Inevitably, however, decisions around security will need to be made by the controller and/or processor – and it will therefore be for them to determine what is “appropriate”.
We have seen that the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have published ‘security outcomes’ aiming to provide some further guidance on the security of processing personal data.
On 18 May 2018, the NCSC and ICO published a set of technical security outcomes considered to represent “appropriate measures” under Article 5(1)(f). This guidance describes an overall set of outcomes that are considered ‘appropriate’ to prevent personal data being accidentally or deliberately compromised.
The security outcomes have been developed in line with the following four aims:
- Managing security risk
- Enhancing data protection in corporate governance
- Establishing appropriate risk management which involves identifying, assessing and understanding the security risks around the personal data being processed
- Implementing asset management by limiting the personal data held – in terms of purpose and duration – to what is necessary; and
- Ensuring that processors act in compliance with the GDPR
- Protecting personal data against cyber attack
- Implementing service policies and processes to secure systems involved in the processing of personal data
- Identifying and managing access to personal data
- Ensuring technical controls are implemented to prevent unlawful processing of personal data
- Establishing technical and organisational security measures to protect systems, technologies and services processing with personal data from cyber-attack and
- Increasing staff awareness and training
- Detecting security events
- Monitoring status of systems processing personal data and
- Monitoring authorised user access to personal data
- Minimising the impact of data breaches
- Preparing a response and recovery plan in the event of a personal data breach, including minimising the impact, restoring systems and services, managing the incident appropriately and evaluating lessons learned for the future; and
- Building in improvements, such as taking steps to understand the root cause of the breach, reporting the breach to the ICO and individuals where applicable, and taking appropriate remedial action.
There is no one-size-fits-all solution to security. What is clear is that organisations are required to think carefully about the personal data they process and the security risks around the processing of the data. The risk assessment and implementation of “appropriate” security measures need to address these security risks and be documented in relevant security policies and related data breach procedures.