A key principle of the General Data Protection Regulation is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the security principle. Doing this requires you to consider things like risk analysis, organisational policies, physical and technical measures.
Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals – lives may even be endangered in some extreme cases.
Article 5.1.f of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be:
‘Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’
You can refer to this as a GDPR’s ‘security principle’. It concerns the broad concept of information security.
This means that you must have appropriate security to prevent personal data that you hold being accidently or deliberately compromised. You should remember that while information security is sometimes considered as cybersecurity (the protection of your networks and information systems from attack), it also covers other things like physical and organisational security measures.
You need to consider the security principle alongside Article 32 of the GDPR, which provides more specifics on the security of your processing. Article 32.1 states:
‘Taking into account the state if the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’
We cannot provide a complete guide to all aspects of security in all circumstances for all organisations, but this guidance is intended to identify the main points for you to consider.
When it comes to Security under the GDPR there are a few things you should know/do.
• You should undertake an analysis of the risks presented by your processing and use this to assess the appropriate level of security you need to put in place
• When deciding what measures to implement, you should take into account of the state of the act and cost of implementation
• You should have an information security policy (or equivalent) and take steps to make sure the policy is implemented
• Where necessary, you should have additional polices and ensure the controls are in place to enforce them
• You make sure that you regularly review your information security policies and measures and, where necessary, improve them
• You have put in place basic technical controls such as those specified by established frameworks like Cyber Essentials
• You understand that you may also need to put other technical measures in place depending on your circumstances and the type of personal data you process
• You use encryption and/or pseudonymisation where it is appropriate to do so
• You understand the requirements of confidentiality, integrity and availability for the personal data you process
• You make sure that you can restore access to personal data in the event of any incidents such as by establishing an appropriate backup process
• We conduct regular testing and reviews of you measures to ensure they remain effective and act on the results of those tests where they highlight areas for improvement
• Where appropriate, you implement measures that adhere to an approved code of conduct or certification mechanism
• You ensure that any data processor you use also implements appropriate technical and organisational measures
Why should we worry about security information?
Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals – lives may even be endangered in some extreme cases.
Some examples of the harm caused by the loss or abuse of personal data include:
• identity fraud;
• fake credit card transactions;
• targeting of individuals by fraudsters, potentially made more convincing by compromised personal data;
• witnesses put at risk of physical harm or intimidation;
• offenders at risk from vigilantes;
• exposure of the addresses of service personnel, police and prison officers, and those at risk of domestic violence;
• fake applications for tax credits; and
• mortgage fraud.
Although these consequences do not always happen, you should recognise that individuals are still entitled to be protected from less serious kinds of harm, for example embarrassment or inconvenience.
Information security is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.
The ICO is also required to consider the technical and organisational measures you had in place when considering an administrative fine.
What security measures do we need to protect?
The security principle goes beyond the way you store or transmit information. Every aspect of your processing of personal data is covered, not just cybersecurity. This means the security measures you put in place should seek to ensure that:
• the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them);
• the data you hold is accurate and complete in relation to why you are processing it; and
• the data remains accessible and usable, e.g. if personal data is accidently lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned.
These are known as ‘confidentiality, integrity and availability’ and under the GDPR, they form part of your obligations.
What level of security is required?
The GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to the state of the act and costs of implementation, as well as the nature, scope, context and purpose of your processing.
This reflects both the GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security. It means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing and the risks it presents to your organisation.
So, before deciding what measures are appropriate, you need to assess your information risk. You should review the personal data you hold and the way you use it in order to assess how valuable, sensitive or confidential it is – as well as the damage or distress that may be caused if the data was compromised. You should also take account of factors such as:
• The nature and extent of your organisation’s premises and computer systems;
• The number of staff you have and the extent of their access to personal data; and
• Any personal data held or used by a data processor acting on your behalf.
What organisational measures do we need to consider?
Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. You should aim to build a culture of security awareness within your organisation. You should identify a person with day-to-day responsibility for information security within your organisation and make sure this person has the appropriate resources and authority to do their job effectively.
Clear accountability for security will ensure that you do not overlook these issues, and that your overall security posture does not become flawed or out of date.
Although an information security policy is an example of an appropriate organisational measure, you may not need a ‘formal’ policy document or an associated set of policies in specific areas. It depends on your size, the amount and nature of the personal data you process, and the way you use the data. However, having a policy does enable you to demonstrate how you are taking steps to comply with the security principle.
Whether or not you have such a policy, you still need to consider security and other related matters such as:
• Co-ordination between key people in your organisation (e.g. the security manager will need to know about commissioning and disposing of any IT equipment.)
• Access to premises or equipment given to anyone outside your organisation (e.g. for computer maintenance) and the additional security considerations this will generate;
• Business continuity arrangements that identify how you will protect and recover any personal data you hold; and
• Periodic checks to ensure that your security measures remain appropriate and up to date.
What technical measures do we need to consider?
Technical measures are sometimes thought of as the protection of personal data held in computers and networks. Whilst these are of obvious importance, many security incidents can be due to the theft or loss of equipment, the abandonment of old computers or hard-copy records being lost, stolen or incorrectly disposed of. Technical measures therefore include both physical and computer or IT Security.
When considering physical security, you should look at factors such as:
• The quality of doors and locks and the protection of your premises by such means as alarms, security lighting or CCTV;
• How you control access to your premises and how visitors are supervised;
• How you dispose of any paper and electronic waste; and
• How you keep IT equipment, particularly mobile devices, secure.
In the IT context, technical measures may sometimes be referred to as ‘cybersecurity’. This is a complex technical area that is constantly evolving, with new threats and vulnerabilities always emerging. It may therefore be sensible to assume that your systems are vulnerable and take steps to protect them.
When considering cybersecurity, you should look at factors such as:
• System security – the security of your network and information systems, including those which process personal data;
• Data security – the security of the data you hold within your systems, e.g. ensuring appropriate access controls are in place and that data is held securely;
• Online security – e.g. the security of your website and any other online service or application that you use; and
• Device security – including polices on Bring-your-own-device (BYOD) if you offer it.
Depending on the sophistication of your systems, your usage requirements and the technical expertise of your staff, you may need to obtain specialist information security advice that goes beyond the scope of this guidance. However, it’s also the case that you may not need a great deal of time and resources to secure your systems and the personal data they process.
Whatever you do, you should remember the following:
• Your cybersecurity measures need to be appropriate to the size and use of your network and information systems;
• You should take into account the state of technological development, but you are also able to consider the costs of implementation;
• Your security must be appropriate to your business practices. For example, if you offer staff the ability to work from home, you need to put measures in place to ensure that this does not compromise your security; and
• Your measures must be appropriate to the nature of the personal data you and the harm that might result from any compromise.
A good starting point is to make sure that you’re in line with the requirements of Cyber Essentials – a government scheme that includes a set of basic technical controls you van put in place relatively easy.
You should be aware however be aware that you may have to go beyond these requirements depending on your processing activities. Cyber Essentials is only intended to provide a ‘base’ set of controls and won’t address the circumstances of every organisation or the risks posed by everything processing operation.
What if we operate in a sector that has its own security requirements?
Some industries have specific security requirements or require you to adhere to certain frameworks or standards. These may be set collectively, for example by industry bodies or trade associations, or could be set by other regulators. If you operate in these sectors, you need to be aware of their requirements, particularly if specific technical measures are specified.
Although following these requirements will not necessarily equate to compliance with the GDPR’s security principle, the ICO will nevertheless consider these carefully in any considerations or regulatory action. It can be the case that they specify certain measures that you should have and that those measures contribute to your overall security posture.
What do we do when a data processor is involved?
If one or more organisations process personal data on your behalf, then these are data processors under the GDPR. This can have the potential to cause security problems – as a data controller you are responsible for ensuring compliance with the GDPR and this includes what the processor does with the data. However, in addition to this, the GDPR’s security requirements also apply to any processor you use.
This means that:
• You must choose a data processor that provides sufficient guarantees about its security measures;
• Your written contract must stipulate that the processor takes all measures required under Article 32 – basically, the contract has to require the processor to undertake the same security measures that you would have to take if you were doing the processing yourself; and
• You should ensure that your contract includes a requirement that the processor makes available all information necessary to demonstrate compliance. This may include allowing for you to audit and inspect the processor, either yourself or an authorised third party.
At the same time, your processor can assist you in ensuring compliance with your security obligations. For example, if you lack the resource or technical expertise to implement certain measures, engaging a processor that has these resources can assist you in making sure personal data is processed securely, provided that your contractual agreements are appropriate.
Should we use pseudonymisation and encryption?
Pseudonymisation and encryption are specified in the GDPR as two examples of measures that may be appropriate for you to implement. This does not mean that you are obliged to use these measures. It depends on the nature, scope, context and purposes of your processing and the risks posed to individuals.
However, there’s a wide range of solutions that allow you to implement both without great cost or difficulty. For example, for a number of years the ICO has considered encryption to be an appropriate technical measure given its widespread availability and relatively low cost of implementation. This position has not altered due to the GDPR – if you are storing personal data, or transmitting it over the internet, we recommend that you use encryption and have a suitable policy in place, taking account of the residual risks involved.
When considering what to put in place, you should undertake a risk analysis and document your findings.
What are ‘confidentiality, integrity, availability’ and ‘resilience’?
Collectively known as the ‘CIA triad’, confidentiality, integrity and availability are the three key elements of information security. If any of the three elements is compromised, then there can be serious consequences, both for you as a data controller and for the individuals whose data you process.
The information security measures you implement should seek guarantee all three both for the systems themselves and any data they process
The CIA triad has existed for a number of years and its concepts are well-known to security professionals.
You are also required to have the ability to ensure the ‘resilience’ of your processing systems and services. Resilience refers to:
• Whether your systems can continue operating under adverse conditions, such as those that may result from a physical or technical incident; and
• Your ability to restore them to an effective state
This refers to things like business continuity plans, disaster recovery, and cyber resilience. Again, there is a wide range of solutions available here, and what is appropriate for you depends on your circumstances.
What are the requirements for restoring availability and access to personal data?
You must have the ability to restore the availability and access to personal data in the event of a physical or technical incident in a ‘timely manner’.
The GDPR does not define what a ‘timely manner’ should be. This therefore depends on:
• Who you are
• What systems you have; and
• The risk that may be posed to individuals if the personal data you process is unavailable for a period of time.
The key point is that you have taken this into account during your information risk assessment and selection of security measures. For example, by ensuring that you have an appropriate backup process in place will have some level of assurance that if your systems do suffer a physical or technical incident you can restore them and therefore the personal data they hold as soon as reasonably possible.
Are we required to ensure our security measures are effective?
Yes, the GDPR specifically requires you to have a process for regular testing, assessing and evaluating the effectiveness of any measures you put in place, what these tests look like and how regularly you do them, will depend on your own circumstances. However, it’s important to note that the requirement in the GDPR concerns your measures in their entirety, therefore whatever ‘scope’ you choose for this testing should be appropriate to what you are doing, how you are doing it and the data that you are processing.
Technically, you can undertake this through a number of techniques, such as vulnerability scanning and penetration testing. These are essentially ‘stress tests’ of your network and information systems, which are designed to reveal areas of potential risk and things that you can improve.
In some industries, you are required to undertake tests of security measures on a regular basis. The GDPR now makes this an obligation for all new organisations. Importantly, it does not specify the type of testing, nor how regularly you should undertake it. It depends on your organisation and the personal data you are processing.
You can undertake testing internally or externally. In some cases, it is recommended that both take place.
Whatever form of testing you undertake, you should document the results and make sure you act upon any recommendations or, have a valid reason for not doing so, and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach.
What about codes of conduct and certification?
If your security measures include a product or service that adheres to a GDPR code of conduct (once they have been approved) or certification (once any have been issued), you may be able to use this as an element to demonstrate your compliance with the security principle. It is important that you check carefully that the code or certification is appropriately issued in accordance with the GDPR.
What about our staff?
The GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so. It is therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policy and put its procedures into practice.
You should provide appropriate initial and refresher training, including:
• Your responsibilities as a data controller under the GDPR;
• Staff responsibilities for protecting personal data – including the possibility that they may commit criminal offences if they deliberately try to access or disclose these data without authority;
• The proper procedures to identify callers;
• The dangers of people trying to obtain personal data by deception (e.g. by pretending to be the individual who the data concerns, or enabling staff to recognise ‘phishing’ attacks), or by persuading your staff to alter information when they should not do so; and
• Any restrictions you place on the personal use of your systems by staff (e.g. to avoid virus infection or spam).
You staff training will only be effective if the individuals delivering it, are themselves reliable and knowledgeable.