The GDPR requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. In order to determine the “appropriate level of security,” an assessment must be done that takes into account:
- The state of the art,
- The costs of implementation, and
- The nature, scope, context and purposes of processing
as well as the risk of varying likelihood and severity for the rights and freedoms of individuals. Account also must be taken in particular of the risks that are presented by processing, “in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
“Personal data breach” is defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Thus, in assessing the appropriate level of security, account must be taken in particular of the risks that are presented by a personal data breach.
After assessing the nature, scope, context and purposes of the processing, the security assessment should assess the risks to the fundamental rights and freedoms of individuals by assessing the threat likelihood – remote, possible or probable – from the perspective of the individual – of three threats types – illegitimate access to personal data, undesired modification of personal data and disappearance of personal data. Then, for each threat type, the impact in the context of the processing activity should be calculated – what is the severity of the harm that each threat in the context of the processing activity could have on an individual – minimal, significant, severe. This calculation is: (impact level) x (threat likelihood level) = inherent risk level. The inherent risk level could be either high, medium or low, and if it is either medium or high, then measures to reduce inherent risk need to be considered.
Inherent risk is when technical and organizational security measures are assessed. These measures are evaluated as highly effective, somewhat effective and less effective. The scores from all the categories of security measures are totaled, and the effectiveness of the security measures is calculated as low, medium and high. This calculation is: (inherent risk level) x (measures effectiveness) = residual risk level. According to the GDPR, some of the appropriate technical and organizational measures to be evaluated are:
- The pseudonymization and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
A controller’s or processor’s ability to adequately assess security risks is necessary in order for them to be able to conduct data protection impact assessments (DPIA) which are required when processing in particular is using new technologies. DPIA’s will be discussed in a later blog.
This blog is the 29th is a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SME’s implement the GDPR and demonstrate their implementation. Each of the bite size pieces is part of one of the eight topics in GDPRsimple.