Security of personal data

The GDPR obliges both controllers and processors to take appropriate technical and organisational measures "to ensure a level of security appropriate to the risk". In other words, controllers and processors should adopt a risk-based approach.

Furthermore, the GDPR requires controllers and processors to take steps to ensure that any natural person acting under their authority who has access to personal data can only process the data further to the controller's instructions.

When implementing the requested measures, it is important to take into account:

  • the state of the art;

  • the implementation cost;

  • the nature, scope, context and purposes of the processing; and

  • the risks posed to the rights and freedoms of natural persons.

The GDPR provides the following examples of measures which could be considered appropriate to the risk:

  • the pseudonymisation and encryption of personal data;

  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

  • the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;

  • a procedure to regularly test, assess and evaluate the effectiveness of technical and organisational measures to ensure secure processing.

Various national and European supervisory authorities and institutions, such as ENISA and the European Data Protection Supervisor, have already issued useful security guidelines in this respect.

Finally, it should be noted that the security of personal data is a point which should be covered by every data processing agreement and preferably any type of agreement pursuant to which third parties have access to your systems. Please see the previous issue in this series for more information on data processing agreements.

Personal data breaches

The GDPR defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

This definition is very broad and covers a wide range of situations such as hacking, loss and theft of laptops or USB sticks, and access by unauthorised persons.

Obligation to notify the supervisory authority

The controller must notify data breaches to the data protection authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons (e.g. the data were encrypted).

If the breach is not notified within 72 hours, the controller must inform the data protection authority of the reasons for the delay.

A notification may be made in phases.

The notification must include at least the following information:

  • the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

  • the name and contact details of the data protection officer or other point of contact from which further information can be obtained;

  • the likely consequences of the breach;

  • the measures taken or proposed by the controller to address the data breach including, where appropriate, measures to mitigate any possible adverse effects.

The controller must adequately document all personal data breaches, including the related facts, effects and the remedial measures taken.

Obligation to notify the data subjects

When a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the controller must inform the data subjects of the breach without undue delay.

The controller must describe, in clear and plain language, the nature of the personal data breach and indicate:

  • the name and contact details of the data protection officer or other point of contact from which further information can be obtained;

  • the likely consequences of the personal data breach;

  • the measures taken or proposed by the controller to address the breach including, where appropriate, measures to mitigate any possible adverse effects.

If the controller does not inform the data subjects of the breach, the supervisory authority, after having assessed the risk posed by the breach, may require it to do so.

The controller does not need to inform the data subjects of the personal data breach if:

  • it has implemented appropriate technical and organisational protection measures which were applied to the personal data affected by the breach, in particular measures, such as encryption, that render the personal data unintelligible to any person who is not authorised to access them;

  • it has subsequently taken measures to ensure that a high risk to the rights and freedoms of the data subjects is no longer likely to materialise; or

  • doing so would involve disproportionate efforts, in which case it shall make a public communication or take similar measures to ensure that the data subjects are informed in an equally effective manner.

The processor's role

The processor must notify the controller without undue delay after learning of a personal data breach.

To do's

  • Assess the technical and operational security measures in place within your organisation and make the appropriate adjustments, if necessary.
  • Have your systems tested regularly by an external party.
  • Put in place an appropriate data breach notification procedure.
  • Train your employees and contractors in security awareness.

Relevant provisions

  • Recitals 83, 85-87
  • Articles 32-34