The heading of Article 32 is "Security of processing".
When talking about the security of processing we have to focus on security measures and technical and organizational measures. But let's start with the security of processing.
Security of Processing
When dealing with security measures, we must always look to Article 24 and Article 32 of GDPR. Article 24 obliges you as the controller to implement appropriate technical and organizational measures to ensure and be able to provide evidence that the processing is by the GDPR. Art. 24 thus specifies the implementation of the 7 principles of Article 5.
Article 32 specifies this obligation in more detail about compliance with data security. It is your obligation as the person responsible, to take into account the state of the art, the implementation costs, and the type, scope, circumstances, and purposes of the processing as well as the different probability of occurrence and severity of the risk [...] to take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
In summary, it can be said that you have to take appropriate technical and organizational measures which guarantee a level of protection to ensure that you process data by the GDPR and exclude risks as far as possible.
Technical and Organizational Measures (GDPR TOMs)
Before we start talking about typical data protection risks and the GDPR requirements, I'd like to give you an overview of the technical measures and organizational measures (GDPR TOMs). We can read in Article 32 and Recital 78 what is necessary to meet the requirements of the general data protection regulation.
Recital 78 states that "Such measures could consist, inter alia, of minimizing the processing of personal data, pseudonymizing personal data as soon as possible, transparency about the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features."
Technical Measures
Pseudonymization and Encryption
Article 32 points out that pseudonymization and encryption of personal data are appropriate security measures that help to ensure compliance. But it is necessary to implement technical measures on different levels. Pseudonymization can be implemented by replacing user-related data with random codes. You can use encryption by using hard disk encryption or a cloud solution with encryption.
Let's look a little bit deeper into other technical measures (GDPR TOMs) that help you to protect personal data and achieve GDPR compliance step by step. Keep also always in mind that will need a set of technical measures to reach a good level of data security.
Firewalls
A firewall is a protective technology that separates network areas from each other. In practice, this usually means that it tracks incoming and outgoing data packets. It regulates that these data packets are only sent in and out at the points where they are allowed to do so. The firewall works according to previously defined rules to open, block, and monitor the inputs and outputs (ports) appropriately.
The use of a firewall is an important building block in a security concept.
Protocols (Log Files)
Log files are used to check data processing that took place in the past. They are necessary to meet the accountability requirements of Article 5. Logs record, for example, who has performed which activity about which data at a specific time or who sent which data to whom at a specific time. Logs help with subsequent checks.
Protocols are usually created automatically (“logs”). Logs can contain a variety of information, such as information from systems, services, programs, video recordings of activities in server rooms, or file entries at the technical level.
Therefore, log data must be valid, reliable, up-to-date, and complete (integrity protection). At least when there is a high need for protection, protocols must be audit-proof. If log data contain a personal reference, they may only be evaluated for designated purposes by persons specially authorized to do so. As a rule, log data may only be evaluated for the purposes that gave rise to their storage.
It is therefore always a good idea to create a logging concept in which all the details of the logging itself as well as the evaluation and checking of the logs are documented.
Specifications for
Passwords
Passwords should always be part of the information security strategy as they are important in increasing the level of security. However, only if the specifications are selected in such a way that the password itself is secure. If you use "123456" as a password, that is not secure.
It is therefore very important to you to use a password policy in your company and to protect documents containing sensitive data with passwords.
There are various specifications for the design of passwords. You can find these specifications on the websites of the US NIST, UK NCSC, or GE BSI.
Access Rights
Access rights to databases containing personal data should always be granted on a need-to-know basis. There should never be a one-size-fits-all access right for all employees.
In the past, blanket access rights have already led to high fines since employees were able to access data that they did not need for their work.
In this context, it is always helpful to describe organizational peculiarities. Corresponding peculiarities for example can result from the fact that only a few employees work at a location of your company, and they oppose each other
Organizational Measures
Organizational measures (GDPR TOMs) are regularly aimed at operational processes and security structures in an organization. These are all non-technical measures with which data security can be achieved.
Organizational measures usually consist of organizational methods, internal policies and instructions, controls, and audits that data controllers and data processors apply to ensure the security of personal data.
Internal Data Protection Policies & Information Security Policies
Each organization should always make the scope and content of the policies dependent on the tasks and processes and the required level of data protection. The specifications must be understandable, and the employees must be familiar with the specifications.
Other Policies and Procedures
Clear and easy-to-follow policies and procedures help a company and its employees know what their rights and responsibilities are, and how to behave in certain situations. For example, this could be a clean desk policy, bring a device policy, remote work policies, or data breaches.
Awareness Raising & Training
Awareness raising and training are essential aspects to familiarize employees with the complex issues of data protection and information security. Employees must know the legal requirements, what is expected of them, and how to behave in certain situations.
Here it is particularly important to train regularly, continuously, and understandably. It doesn't help anyone if there has been comprehensive training once, but the employees then receive no further information about current developments or changes. All measures should always be part of a comprehensive training concept, as this is also helpful to ensure accountability
Reviews and Audits
Policies and procedures are important to design the organizational framework in which the processes are carried out by your employees. But it is just as important to regularly check whether these measures are effective and complete.
For this reason, you should set up controls and audits. It is important to note that the controls must be risk-based, as the GDPR indicates in various places. Furthermore, it is always good to know and assess how well your processes are working. This allows you to build on the well-functioning processes and gradually improve the remaining processes. These tests should always be part of an annual test plan and can also be carried out in a PDCA (Plan-Do-Check-Act) cycle.
Due Diligence
As a data controller, you must ensure that you only use processors who guarantee sufficient security and that data processing is carried out by the provisions of the GDPR.
Accordingly, you should always set up due diligence checks before entering contracts with processors.
Data Protection Officer
The data protection officer (DPO) should always be part of the organizational measures of your company. The DPO is your expert for all questions relating to data protection regulations. If you are not able to appoint an internal data protection officer and train them continuously, I am at your disposal as an external data protection officer.
Data Protection Risks
Data protection risks can occur through different data breaches, and it is your legal obligation to keep the data of your customers secure.
You as a data controller must ensure that the data of your customers and visitors is saved. But what are typical risks?
· Cyberattacks
· Unlawful destruction
· Accidental sharing
· Employee data theft
· Ransomware
· Bribery
· Phishing Emails
· Fraud
When you process data, you have to demonstrate compliance by implementing specific measures which ensure that the data of your customers are safe and secure. If you detect a high risk in a specific process, then you must find a solution as soon as possible and update your security information.
All your measures must be on an appropriate level. This level always depends on the form and scope of the data processing. The more risky and extensive data processing is, the higher the level of technical and organizational measures to protect data security must be.
General Data Protection Regulation (GDPR) Requirements
The GDPR requires different measures as stated in Article 32. But let's not focus only on Article 32. There is a lot of additional information you have to look at to be GDPR-compliant.
The Recitals (75) Risks to the Rights and Freedoms of Natural Persons (76) Risk Assessment (77) Risk Assessment Guidelines (78) Appropriate Technical and Organisational Measures (79) Allocation of the Responsibilities (83) Security of Processing refer all to Article 32.
Ensuring compliance means that you handle data securely and promptly. When you implement measures, you always have to keep in mind that the GDPR consists of a lot of different aspects and that a privacy policy on your webpage is only one step. When you process the data of EU citizens, then you must focus on data privacy from different perspectives.
In my Blog post Dealing with the GDPR - Part 2 - Data Processing & GDPR Compliance, I included the following checklist:
GDPR Compliance Checklist
1. Records of Processing Activities (in best case combined with Process Management)
2. Overview of Software & Applications and External Processors
3. Technical & organizational measurements
4. Implementation of a Data Protection Officer
5. Data Protection Handbook
6. Ongoing information and sensitization of employees
7. Ensuring the Rights of the Data Subjects
This checklist will help you on your way to getting GDPR compliant. But if you like more to focus on your original business, I would be really glad to support you in all questions related to the GDPR.
If you have any questions, I would be happy to get in touch with you!
