These are just a few examples of what can go wrong if personal data is lost, stolen, misplaced or abused which is exactly why the GDPR has put a lot of emphasis on its Security Principle. This principle puts an obligation on all data processors to put in place appropriate technical and organisational measures to minimise potential risks.
Article 5(1)(f) of the GDPR states that personal data shall be:
“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
So what exactly do organisations who process personal data need to do in order to comply with the security principle? This will of course depend on the type and size of organisation in question, what kind of personal data they are processing, how they are processing it etc. Organisations must undertake a risk analysis, review their organisational policies and look at both physical and technical measures that they currently have in place to ensure that they are adequately protecting the personal data being processed. They must ensure the “confidentiality, integrity and availability” of systems and services at all times meaning that the data should be accessed, altered, disclosed or deleted only by those with proper authorisation, the data held by the organisation is accurate and complete in relation to the purpose of processing and also if there is ever a physical or technical incident which poses a risk to the personal data being processed, the organisation in question must be able to restore access and availability to personal data in a timely manner.
Small, low budget businesses have voiced concerns over the financial impact that introducing such measures will have. However it must be remembered that organisations can consider the state of the art and costs of implementation when deciding what measures to take. Whatever is chosen must be appropriate and proportionate to the circumstances and the risk that the processing in question poses.
There are a number of measures which organisation can take to help them to meet these security requirements more easily. Adopting measures such as pseudonymisation and encryption are a useful security measure which can help organisations. Whatever measures are taken, organisations must put in place processes to regularly test the effectiveness of these measures. Technical measure in particular will require regular review and potential upgrade in order to be adequate.
Data controllers must also consider anything that they additionally need to consider if they use any third party data processors. Controllers are responsible for ensuring compliance with the GDPR including what the processor does with the data. The issue of security must also be covered in the controller-processor contract which must stipulate that the processor takes all security measures set out by Article 32. On top of this the controller should be able to audit or inspect the processor to ensure these measures are being complied with. Processors should therefore be chosen carefully and only those who can satisfy these requirements should be used.
Ensuring security is important for organisations, not only because it is a legal requirement, but also because it is evidence of an organisation’s compliance with other aspects of GDPR. If there is ever a breach and the ICO are looking at the facts of the case, they must take into account the technical and organisational measures that an organisation has in place.
To enable all of this to be achieved, organisations should also be regularly training their staff accordingly. Everyone who is involved in the data processing must understand the risks and implications of data breaches, having a comprehensive security policy in place and making sure that staff are familiar with it is key to compliance.