In this short article, I’m going to talk a bit about security of personal data and how the GDPR defines security. The requirements fall under Article 32 of the regulation. This is one of the areas of the regulation where decisions need to be made based upon the sensitivity of the data, the nature of the processing, the likelihood of a data breach and the impact on the data subject. These factors are then combined with the availability of technical solutions and the cost of implementation. The key phrase in this article is “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
A word that crops up in this article and in several other places in the regulation is ‘pseudonymisation’. This is, very simply, the replacing or removal of details such as name, address and other unique identifiers so that the person cannot be identified but the data remains useful (e.g. for statistical analysis or market research).
There are a few requirements of this article that may be surprising. There is a requirement to provide an ongoing process to ensure security and availability of data and services. This is a clear statement that compliance with the GDPR is a continuing and active process in the same way as any other information security framework.
Another requirement mandates the ability to recover systems and data in the event of an event or events that cause a disruption to or the integrity of processes and data. This clearly requiring a plan for disaster recovery.
These measures need to be regularly assessed and tested to ensure they are effective.
This foray into the integrity and availability of personal data may seem a little out of place in data protection legislation but it supports one of the aims of the GDPR to protect ‘the rights and freedoms of natural persons’. For example, if a bank were to suffer a data loss and had no plan to recover the data, this would impact many people – being unable to withdraw money or pay bills etc.
Business owners must broaden the scope of information security to include integrity and availability of data and systems. Time to dust off disaster recovery plans and begin a review process!