On January 23, 2018, the French data protection authority (the CNIL) published new guidelines on the security of personal data (updating its previous security guide published in 2010 available in English) , providing practical recommendations in the form of “Do’s and Dont’s” to help businesses implement appropriate measures to protect personal data in compliance with the General Data Protection Regulation (“GDPR”).

Article 32 of the GDPR requires data controllers and processors to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. Although the GDPR provides some guidance as to the types of measures that may be considered appropriate (i.e., the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing), the CNIL acknowledges that such determination may be difficult for businesses that are unfamiliar with the risk management methods in terms of data processing.

The CNIL’s guide is aimed at (i) clarifying the basic precautions to be taken systematically when processing personal data and (ii) helping businesses verify their level of compliance thanks to a tick box evaluation form made available at the end of the guide.

The CNIL’s recommendations are organized in 17 themes. Each of them is detailed in a factsheet in the Guide:

  • Users’ awareness
  • Users authentication
  • Access rights management
  • Access tracing and incident management
  • Workstations security
  • Mobile devices security
  • Internal IT network security
  • Server security
  • Website security
  • Backup and business continuity
  • Secure archiving
  • Maintenance and data destruction
  • Sub-processing
  • Data sharing with third parties
  • Facility security
  • Privacy by design and privacy by default
  • Encryption, data integrity and confidentiality

Ideally, the CNIL recommends to use this guide in the context of a broader risk management strategy, which should consist of at least the 4 following steps:

  1. List the personal data processing, including the categories of personal data concerned and the means of data processing (e.g. hardware, software, communication networks and even hard copy files) ;
  2. Assess the risks of each processing, notably by identifying the potential impacts (unauthorized access, alteration or loss of data), the risk sources (human or non-human, internal, external) and the potential threats, listing the existing controls (access control, traceability, anonymization etc.) and assessing the severity and likelihood of risks );
  3. Implement and control the appropriate measures; and
  4. Carry out regular security audits.These guidelines are not only useful to advise organisations on how to comply and document their security obligations but also a practical tool for the conduct of privacy impact assessments (“PIA”), which are required in certain cases and which, pursuant to Article 35(7) of the GDPR, must contain, among other things, “the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with [the] Regulation”.