What Kind of Information Security does the GDPR require?
The GDPR divides companies who touch personal data into two groups – data controllers and data processors. Data controllers, for example online retailers, decide what personal data will be collected from consumers – data like names, email addresses, or mobile phone numbers. Often, a data controller will engage third parties, like an e-commerce platform or email management program, to store the personal data or to process payment information or send order status information to the consumers. Those third parties – anyone other than the data controller who touches an end consumer’s personal information for any reason authorized by the data controller – are data processors. If a company processes the information of EU consumers on behalf of a data controller, the GDPR applies, regardless of where the data controller or the data processor is located.
Article 28 says that a data processor must “take all measures required pursuant to Article 32. Article 32 covers the Security of Processing. Article 32 applies to both controllers and processors.
Article 32 does not proscribe specific security measures to be taken. It does not provide a checklist. Instead, Article 32 states that all security measures must be “appropriate” taking into account the state of the art, the nature of the processing, and the risk to the data subjects.
Does the GDPR give any examples of good security?
Article 32 says that the following security measures may be appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
A controller or processor can demonstrate appropriate “technical and organizational measures” in part by showing that in the collection and processing of personal data, privacy is “by design and by default.” Data protection “by design” means that the company has instituted privacy mechanisms from the earliest design, such as by choosing to pseudonymize or encrypt records. Data protection “by default” means that personal data is processed with the highest privacy protection, for example limiting the purposes for which the data is processed, the time period for which the data is stored, and the number of employees who have access to it.
Who is responsible for data security?
Both data processors and data controllers are responsible for technical and organizational security measures. Controllers can not work with processors who do not have appropriate security measures. Processors are solely responsible for making sure that they use and maintain appropriate security, and that any subprocessors they use also have appropriate security. Controllers are ultimately responsible to government authorities in the European Union, but they can require that processors cover any of their losses or fines if the controllers face liability because the processors did not process personal data securely enough. All of these issues, including what specific security measures the processor is expected to take, will be covered in a Data Protection Agreement between the controller and the processor.
Contact us with your questions about appropriate security measures to protect personal information.