Security Requirements Under GDPR: More Than Meets the Eye
Author: Clarip’s Chief Privacy Officer
As complex and far reaching as GDPR may be, one area where privacy professionals may get a break is Article 32-Security of Processing. GDPR does not minimize security at all, but rather, the language of Article 32 takes a broad, flexible and risk based approach. In other words, it is reasonable and practical.
Appropriate controls are subject to and based on the severity and sensitivity of the processing that an organization must undertake. Some of the requirements noted include business continuity, testing, encryption and prevention of unauthorized access. Security professionals will find it all very familiar, reasonable and most likely included in any reasonably complete information security programs.
However, it would be unwise and incorrect to perceive the Article 32 as the only place where security considerations are required under GDPR. A well-rounded GDPR compliance program should include security measures are raised in other GDPR mandates. Here are just a few other GDPR mandates where security measures must be considered and addressed:
Breach Notification and Response: Articles 33 and 34 cover the long-standing issue tightly aligned with a security program—incident response and breach notification. Notice to both supervisory authorities and data subjects is required in certain instances and knowing how the GDPR is similar to or different from your existing response and notification requirements is of prime importance. Two key issues to keep in mind:
• a 72 hour reporting timeline is required for certain breaches; and
• in addition to legal requirements, there are usually more restrictive contractual obligations that controllers may impose on their processors.
Records of Processing Activities: Article 30 requires that technical and organizational security measures implemented for processing activities be included in the documentation that organizations create.
International Transfers: Articles 44 through 47 provide for various requirements that must be in place before transfers to a third country outside of the EU can take place. Each of the types of transfer mechanisms have security obligations embedded that are important to understand and incorporate.
• Adequacy decisions in place prior to GDPR are still in effect and the applicable countries have achieved that designation as a result of the data protection laws and enforcement procedures they impose, including security mandates. For each relevant transfer based on adequacy, security obligations specific to the applicable country should be understood and addressed.
• Appropriate safeguard transfers such as model clauses likewise include security obligations and since the model clauses cannot be edited, security measures are effectively a contractual obligation even before GDPR is enforced.
• Finally, binding corporate rules (BCRs) take a holistic approach to data protection including policies, accountability and training around appropriate security assessments and protections.
Data Protection Impact Assessments (DPIA): Articles 35-36 describe the obligation to implement DPIAs. Both in the language of GDPR (Art 35(7)) and the guidance released by the Art. 29 working party, security measures are a key factor in conducting an effective DPIA. For example, to have true business impact and comply with GDPR, DPIAs must assess risk including risks to security, use input from security experts, implement adequate security measures and identify residual risk including residual risks to security.
More from Clarip:
Are you ready for the new CA privacy law? Start preparing compliance efforts with Clarip for the California Consumer Privacy Act. Enforcement starts January 1, 2020 so better start planning funding in your 2019 budget now.
Learn more about the GDPR consent management.
More Blog Posts on GDPR:
GDPR for Small Businesses Under 250 Employees
No Further Grace Period for GDPR Enforcement
The 10 Key Requirements of the GDPR
Germany Demands More From Facebook on GDPR
GDPR Article 30: It’s all about the documentation