GDPR Security Regulations

The General Data Protection Regulation (GDPR) establishes a number of requirements for businesses that collect or process the personal data of individuals residing in the European Union, including GDPR security regulations to ensure the confidentiality of personal data is safeguarded.

Any individual or company that collects, processes, stores, or transmits the personal data of EU citizens is required to comply with GDPR, regardless of where the individual or company is based. Compliance with GDPR is required even if a company does not have a physical presence in an EU country.

There are two main aims of GDPR: To ensure the privacy of EU citizens is protected and to give those individuals greater control over their personal data, including how it is used.

In order for data to be collected and processed, a data subject must freely give their consent. The uses of data must be clearly explained and only be used for those specific purposes. Data must be processed in accordance with GDPR requirements and must be erased when no longer required.

Some of the most important standards specified in the GDPR include:

  • Ensure data subjects provide informed consent for their data to be used
  • Ensure data subjects are made aware of how their data will be used
  • Ensure personal data is only used for lawful purposes
  • Ensure safeguards are implemented to preserve the confidentiality and availability of data
  • Prevent unauthorized use of personal data
  • Ensure data breaches are reported and individuals notified
  • Ensure the types of data that are breached can be identified
  • Ensure requests from data subjects are responded to within a month
  • Ensure data is only retained for long enough to accomplish processing
  • Ensure data subjects are informed if their data are transferred to another country
  • Ensure data subjects have the right to be forgotten and have all of their data erased
  • Maintain records of activities relating to data processing
  • Create and maintain policies and procedures to prove compliance with GDPR

Compliance with the GDPR security regulations is essential. Data controllers (individuals and companies) and data processors (Service providers) face stiff penalties for failing to comply with GDPR. The penalty for noncompliance is a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.

What Data Does GDPR Cover?

GDPR covers the personal data of EU citizens. GDPR classes personal data as any information that would allow a natural person to be directly or indirectly identified. GDPR applies to physical records and digital data.

Personal data is defined in Article 4 of the GDPR as “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an       identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

Personal data therefore includes, but is not limited to, name, address, email address, photographs, IP addresses, location data, profiling, and analytics data. Other types of data fall under the category of sensitive personal data. Sensitive personal data includes race, religion, political views, sexual orientation, online behavior (cookies), health information, genetic data, biometric data.

What Are the GDPR Security Regulations?

The GDPR security regulations require appropriate technical and organizational measures to be implemented to ensure the security of personal data. GDPR is not technology-specific, so the types of protections that must be implemented to ensure the security of data are not specified in GDPR. Were that to be the case, GDPR would need to be updated frequently to account for new technologies and obsolete security controls.

The safeguards that must be implemented to ensure the confidentiality of personal data can therefore be chosen by each data controller and data processor. To comply with the GDPR security regulations, safeguards must be reasonable and appropriate to the level of risk to individuals’ rights and freedoms.

The purpose of the GDPR security regulations is not to make it impossible for data to be accessed by unauthorized individuals, only for measures to be implemented to reduce risk to a reasonable and appropriately low level. For instance, network security controls should ensure networks can resist, to a reasonable level of confidence, accidental events and malicious attacks that could result in the exposure or theft of personal data.

Article 32 of GDPR covers the security of processing and explains that various measures must be implemented to ensure the security of personal data and states that:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.”

While specific technologies are not stipulated, encryption and pseudonymization are mentioned and must be considered. GDPR also requires data controllers and data processors to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”

In the event of a security incident or other physical or technical event, the data controller/data processor must be able to restore the availability of personal data in a timely manner. Regular testing, assessing, and evaluation of the effectiveness of security controls and organizational measures must also take place.

If a new type of processing takes place that involves a high risk to the rights and freedoms of data subjects, a data protection impact assessment must be conducted and appropriate measures introduced to address any risks and ensure the continued protection of personal data.

Data protection must be incorporated by design and default. Use of data must be limited to that required for a specific purpose and safeguards implemented to ensure the processing of data meets the requirements of the Regulation.

A data protection officer must be appointed by organizations with more than 250 employees whose role must include advising all employees of their responsibilities and the controller or processor of their obligations, monitoring of compliance with the GDPR security regulations, and to cooperate with the supervisory authority.

It is not possible to prevent all data breaches. When a breach occurs, it must be reported to the data protection authority within 72 hours. Individuals must be notified if there is a high risk of their rights and freedoms being abused as a result of a breach, such as the incident placing their personal safety in jeopardy or if they face a high risk of identity theft or fraud. Personal notifications must be issued without undue delay.

Deadline for Compliance with the GDPR Security Regulations

The deadline for compliance with the GDPR security regulations is May 25, 2018. Data controllers and data processors do not have long to ensure that appropriate policies and procedures are developed and implemented.

The identification of personal data, reviewing contracts, verifying processes, and ensuring compliance with the GDPR security regulations will involve a considerable number of man-hours.

It is important for companies to start their compliance programs promptly to ensure compliance with the GDPR security regulations ahead of the deadline.