In my last blog post, I talked about compliance with the European Union’s General Data Protection Regulation (GDPR), why U.S. businesses need to worry about GDPR, and some steps businesses can take to prepare for GDPR’s compliance deadline. The previous post contains the basics about GDPR. This post expands on one aspect of GDPR: information security requirements. The press has a lot of information about privacy protections under GDPR, but GDPR also contains requirements for data security as well.
What does GDPR require regarding data security? GDPR has a general statement about security. Article 32(1) says, “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” The term “controllers” refer to businesses that collect personal data from European citizens and determine the purpose or means of processing data. “Processors” process personal data on behalf of controllers, such as a third party service provider or outsourcing service vendor.
Unlike laws such as the U.S. federal Health Insurance Portability and Accountability Act (HIPAA) security regulations in the healthcare field, GDPR does not attempt to offer a complete list of security controls a controller or processor would need to implement. Instead, it provides the general statement about “appropriate” measures. It lists “technical” and “organizational” security measures. In this way, GDPR is similar to the HIPAA Security Rule’s requirements for “administrative” and “technical” safeguards. It provides a number of examples of controls, but the list is not meant to be exclusive.
“Organisational measures” are the nontechnical measures that an organization’s management establishes regarding acceptable personnel conduct, personnel procedures, and correct technology usage within a business. They cover the process of managing the security function within a business and the security-related tasks involved in hiring, training, managing, and disciplining personnel, as well as overseeing changes in work status, such as departures and changes in job responsibilities. Vendor selection and management controls fall within this category. Also, they include developing security documentation and assessing the effectiveness of a security program.
“Technical measures” refer to the deployment, configuration, and use of technology and supporting policies, procedures, and technical standards to maintain the confidentiality, integrity, and availability of personal data and the systems processing personal data. Examples include access control systems, remote access systems, firewalls, network design and boundary controls, intrusion detection or prevention systems, anti-virus systems, systems to maintain audit logs of operations, technology to check or maintain the integrity of data, encryption, and encryption key management systems.
The HIPAA and the U.S. federal Gramm Leach Bliley Act covering financial institutions also call for “physical” safeguards to protect personal information. “Physical safeguards” cover the security of the work environment, such as data centers and offices, but also cover home offices and the environment in which users may use mobile devices. Locked doors, locked cabinets, and data center construction standards to create physical security tiers of protection are examples of physical safeguards. I believe the term “organizational measures” would be broad enough to encompass physical security controls. In one of the recitals (Recital 75), GDPR mentions threats of physical damage.
Does GDPR require breach notification? Yes. A “personal data breach” “means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” according to Article 4(12) of GDPR.
According to Article 33(1), when a “personal data breach occurs, “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.” There are guidelines about which supervisory authority has jurisdiction over the collection and processing of personal data, but in the simplest case, if a controller’s operations are all within a certain EU country, the supervisory authority in that country would be the appropriate supervisory authority to notify.
A controller may also need to inform the data subject. Article 34(1) says, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” The implication is that if the risk from a breach is very low, then the controller must notify the supervisory authority but not data subjects. If the risk is high, the controller must inform affected data subjects.
Having discussed the basics about GDPR and information security, in future posts, I will cover various privacy topics and discussions about GDPR compliance practices.
Stephen Wu has written or co-written seven books on data security legal topics, and leads the International Network of Boutique and Independent Law Firms’ global GDPR working group. For assistance to determine if you must comply with GDPR or regarding your GDPR compliance program, please contact Stephen Wu by completing the web form here.