The ‘security principle’ under GDPR and personal data breaches

4th May 2018

The ‘security principle’

In a world where increasingly sophisticated cyberattacks are an ever-present threat and rarely out of the news, people want to be able to trust that their data will be protected. They also want to be able to trust that it will be handled and used appropriately. On the other hand, businesses want to avoid the potential reputational damage and hefty fines arising from avoidable or poorly managed personal data breach incidents.

It is a GDPR requirement that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” – this is the ‘security principle’.

More specifically, GDPR provides that, “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

The ICO recently expanded the security section of its Guide to the GDPR. The following key points arise from the guidance:

• Organisations must have appropriate security in place to prevent the personal data they hold from being accidentally or deliberately compromised – this includes physical and organisational measures, not just ‘traditional’ cybersecurity.
• Organisations should aim to build a culture of security awareness.
• Information security can support good data governance and help organisations to demonstrate compliance with other aspects of GDPR.
• Ensuring confidentiality, integrity and availability of personal data is key. Information security measures should seek to guarantee all three of these elements for systems and the data they process.
• Organisations must also be able to ensure the resilience of their processing systems and services – think, for example, about business continuity and disaster recovery plans.
• The ICO is required to consider an organisation’s technical and organisational measures in the context of imposing administrative fines.
• As there is no ‘one size fits all’ approach, organisations should carry out a risk analysis in order to decide on what measures will be appropriate, and to document the findings. The risk analysis should take into account the requirements for restoring availability and access to personal data in a ‘timely manner’.
• In relation to cybersecurity, meeting the requirements of the government’s Cyber Essentials Scheme is a good start, but organisations may need to go further depending on their processing activities. The ICO’s Guide contains various other links on cybersecurity measures and guidance. Pseudonymisation and encryption may be appropriate technical measures.
• The ICO will have regard to the extent to which any sector-specific security requirements have been met.
• Controllers must put certain measures in place when a data processor is involved. This includes in relation to contractual arrangements. See the ICO’s draft guidance on contracts and liabilities for controllers and processors.
• GDPR requires organisations to undertake regular testing, assessment and evaluation of the effectiveness of their security measures. The results should be documented and any recommendations acted upon/safeguards implemented.
• It is a GDPR requirement to ensure that staff do not process any personal data unless instructed to do so. Appropriate initial and refresher training should be provided.

A note on personal data breaches

However robust an organisation’s security measures, there is always the possibility that a personal data breach could occur at any time. The ICO’s Guide to the GDPR contains a section on personal data breaches. Data controllers in particular should be aware of the following key points:

• GDPR requires data controllers to report certain types of personal data breach to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. Section II of the WP29’s guidelines on personal data breach notification provides more information about when a controller becomes “aware”.
• Failure to report a notifiable breach can result in a fine of up to 2% of annual global turnover or €10 million (whichever is the greater). It is essential to have an effective breach response plan in place in order to meet the notification obligations.
• It is important to keep in mind that a personal data breach is not just about the loss or theft of personal data. It is broader than that and includes, for example: unavailability of personal data; accessing or passing the data on to someone else without proper authorisation; and alteration of personal data without permission.
• In the event of a personal data breach, the controller must notify the relevant supervisory authority, unless it can demonstrate that the breach is unlikely to result in a risk to people’s rights and freedoms. Section IV of the WP29’s guidelines on personal data breach notification sets out the factors to consider when assessing risk.
• GDPR requires certain information to be provided in a breach notification. This includes details of the measures taken or proposed to be taken to deal with the breach. If breach notification takes longer than 72 hours, reasons must be given for the delay. Communicating and cooperating with the ICO (or other relevant supervisory authority) is key. It is possible to provide the information in phases if it is not immediately available, but note that the ICO will expect the controller to, among other things, prioritise its investigation.
• Where the controller decides that it does not need to notify a breach, it should still document its justification for reaching that conclusion. A record of any personal data breaches must be kept in any event, setting out the facts relating to the breach, its effects, and the remedial action taken.
• If the breach is likely to result in a high risk to people’s rights and freedoms, those individuals must be directly informed without undue delay. Certain information must be provided to them.
• As with security measures, the contract between the controller and the processor must contain certain provisions in relation to breach notification obligations. See the ICO’s draft guidance on contracts and liabilities for controllers and processors. A data processor must inform a data controller without undue delay as soon as it becomes aware that it has suffered a personal data breach.
• Note that GDPR does not replace personal data breach notification requirements that organisations may be subject to under other legislation, for example the Privacy and Electronic Communications Regulations and the Security of Network and Information Systems Directive.