GDPR Fundamentals: Data Security Requirements
Appropriate Data Security Controls
While GDPR is primarily a data privacy law, it also includes elements of data security. But of course, GDPR is ambiguous so it’s not very prescriptive when it comes to data security requirements for processing personal data. The law requires each organization to evaluate its own data security based on risk, processing activities, and its organizational structure. By putting this in the hands of the organization, the organization can determine what’s an appropriate control. Organizations are also allowed to consider the ability and resources of an organization to implement a control. Just because a control is a possibility for mitigating risk doesn’t mean that it’s an appropriate control. What’s appropriate for one organization may be too expensive, impractical, or not secure enough for another organization. Appropriate organizational and technical data security controls include risk assessments, encryption, pseudonymization, and documented policies of things like business continuity, physical security, logical access, configuration management, human resources, and management oversight.
There should also be a process to monitor and test the effectiveness of data security controls, which is where internal and third-party auditing comes into play. These will serve as an effective way of demonstrating that thought and objectivity has been considered when it comes to what is appropriate for an organization. There have been unofficial attempts to map GDPR requirements to other information security frameworks, but they may be incomplete with respect to data security and privacy elements.
While GDPR is primarily a data privacy law, it also includes elements of data security and those requirements apply to both controllers and processors. GDPR is not prescriptive when it comes to security requirements for processing personal data. Instead, GDPR requires each organization to evaluate its own security based on risk, processing activities, and organizational structure. That’s because privacy needs evolve and privacy threats evolve, so GDPR is designed to evolve along with those needs and privacy threats. Some examples of appropriate organizational and technical controls include risk assessments, encryption, pseudonymization, and documented information security policies that cover things like business continuity, physical security, logical access, configuration management, human resources, and management oversight.
In addition to those particular controls and documentation around the policies and procedures of those controls, there should also be a process to monitor and test the effectiveness of those controls. This is where internal and third-party auditing comes into play. There have been some unofficial attempts to map GDPR requirements to ISO 27001 and SOC audits, and those are effective ways of monitoring organizational controls, but for GDPR purposes, they may be incomplete with respect to some of the data privacy elements.
Because GDPR is not prescriptive when it comes to the appropriate organizational and technical controls, there will be codes of conduct and certification standards that will provide some level of prescriptiveness when it comes to the security of processing. Until those codes come out, or if an organization decides to determine its own standards for what is appropriate, things like internal and third-party audits will serve as an effective way of demonstrating that thoughts and objectivity has been considered when it comes to what is appropriate for an organization.
In order to determine if a control is appropriate, whether it’s an organizational control or a technical control, it’s important to know what the goal is for the security of processing under GDPR. The goal is to prevent the unauthorized or accidental destruction, use, or disclosure of personal data. For almost any security threat, there is one or more tools or controls if your budget, time, and resources are unlimited. Fortunately, GDPR allows organizations to take into consideration the cost, practicality, and reasonableness of a control to mitigate risk. GDPR expects organizations to take what is appropriate for the organization, for the risk, and for the processing activity.
In addition to considering the processing risks to data subjects, organizations are also allowed to consider the ability and resources of an organization to implement a control. Just because a control is a possible control that would mitigate a risk doesn’t mean that it’s an appropriate control. It might be beyond the scope because it’s too expensive or not practical, or it might be insufficient because it’s not secure enough.