It’s all very well having good intentions to keep personal data secure, but to really be compliant organisations should ensure that they are using appropriate technical and organisational measures. With the first real change to the Data Protection Act in 20 years, let’s take a look at what the General Data Protection Regulation (GDPR) says about security principles.
GDPR and security of personal data
The security of personal data is nothing new. The Data Protection Act (DPA) 1998 recommends that best practice would include assessing the risk to information and putting appropriate security measures in place. But with the advent of GDPR, these recommendations are now a legal requirement.
In the new regulations, Article 5(1)(f) talks about integrity and confidentiality of personal data, now known as the GDPR’s ‘security principle’:
“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
The purpose of the security principle is to ensure that your organisation’s security measures help to prevent the personal data you hold from being lost, stolen, or in any way compromised. So when we talk about information security, we also include cyber, physical and organisational security.
The Information Commissioner‘s Office (ICO) recommends that the security principle is considered alongside the GDPR’s Article 32, specifically Article 32(1).
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Why is information security important?
If organisations and individuals fail to follow information security processes and principles, the risk to property and lives can be significant. Some examples of harm include:
- payment card, benefits, financial and identity fraud;
- stolen personal data making phishing or spear phishing attacks look more authentic;
- offenders and witnesses at risk of harm or intimidation; and
- exposure of personally identifiable information of service personnel or law enforcement.
Above all, information security is a legal requirement that also helps you to practice good data governance and demonstrate to your supply chain and customers that you can be trusted. Additionally, the more work you put in here the better, as the ICO assesses the technical and organisational measures you have in place when considering a fine – if the worst was to happen.
Security measures and the GDPR – What should they protect?
As we have already touched on, the security principles include every aspect of personal data processing (cyber and physical).
So the security measures will ensure that personal data can be accessed only by authorised persons for the purpose of disclosure or deletion. The measures will make sure the data is accurate and complete and remains accessible and usable. This refers to the ‘confidentiality, integrity and availability’ principle.
Although the GDPR does not make specific recommendations or definitions of your security measures, your organisation is expected to implement an ‘appropriate’ level of security. To determine what is considered appropriate for you, you should first measure the risk and assess the value of the personal data.
What organisational measures should you include for GDPR security?
An organisational measure would include carrying out an information risk assessment. Also, building a culture of information and cyber security in your organisation is essential in carrying the principles through on a day-to-day basis. This may be the responsibility of a Data Protection Officer (DPO) or another member of staff who is made accountable for communicating security awareness.
The ICO also suggests you include the following when taking steps to satisfy the security principle:
- co-ordination between key people in your organisation (eg the security manager will need to know about commissioning and disposing of any IT equipment);
- access to premises or equipment given to anyone outside your organisation (eg for computer maintenance) and the additional security considerations this will generate;
- business continuity arrangements that identify how you will protect and recover any personal data you hold; and
- periodic checks to ensure that your security measures remain appropriate and up to date.
The first step in adhering to the Confidentiality, Integrity, Availability principle is knowing where all of your personal data is. Luckily ISMS.online has a solution for that.
Need an efficient way to manage and categorise the personal data you store?
ISMS.online features a Personal Data Inventory & Records Processing Tracker to help you do just that.
Not ready to get started? Subscribe to receive more articles like this.
The information in this blog is for general guidance and does not constitute legal advice.