Sufficient organizational and technical measures scheduled: the GDPR puzzle for website owners
GDPR changed the life of everyone whose business is related to the processing of personal data. Some companies have accepted the challenges GDPR provided and trying to do their best to comply with GDPR. Some companies still do nothing believing in God, its luck, chance, and the fact that their inaction will remain unnoticed by the Great Eye of the regulatory authorities.
However, both law-abiding and bludger-like companies are puzzled of what are the appropriate technical and organizational measures defined under the GDPR as a must have instruments for achieving a GDPR compliance. Absence of comprehensive guidelines from Working Party 29 and the EDPB is a death blow though.
Hence, let’s talk what could be regarded as the appropriate technical and organizational measures under the GDPR pursuant to persistent practice of GDPR-compliant companies.
What does the fox GDPR say?
GDPR literally provides almost no clear information (o tempora, o mores!) regard to what the technical and organizational measures under the GDPR should be. Instead, provides examples of what you shall be able to achieve/conduct after implementing of such measures, e.g.:
- the pseudonymisation and encryption of personal data;
- data minimization;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Likewise, the GDRP states that such measures shall be defined by the controller/processor taking into account the following factors:
- state of the art;
- costs of implementation;
- nature, scope, context and purposes of processing;
- risk of varying likelihood and severity for the rights and freedoms of natural persons;
- obligation to ensure a level of security appropriate to the risk.
Well, at this moment you have read GDPR and find out what you shall be able to do after implementing of the technical and organizational measures and what are the criteria for evaluation of the certain measures. But what are they, the certain measures?
What the technical and organizational measures could be?
You should start the implementation of the aforementioned measures from defining what do you need to do and what measures you shall apply. Thus, conducting of the risk assessment is a starting point in your journey there and back again.
To conduct a risk assessment, you should create a checklist of GDPR requirements regarding the processing of data, i.e. principles of data processing, existing of privacy by default and by design, compliance with rules on the transboundary transfer of data etc., and analyze whether you comply with such requirements. Sometimes, GDPR questionnaires (what is that?!) from your partners who care about GDPR compliance may help you with the assessment as they usually contain direct questions regarding implemented technical and organizational measures.
As a result of risk assessment, you will understand the scope of technical measures (see below) and organizational measures you need to apply.
Common organizational measures include regular trainings of personnel, periodical audit of implemented measures, clear desk and screen policy, building access and relocation security (if you have office workers) etc.
Another important organizational measure is a preparation of internal company policies and procedures regarding the implementation of technical and organizational measures. If you do something write what you do and how you do it. This is the Way.
Technical measures relate to all shades of cybersecurity. Depending on the specifics of data processing and business of the company such measures may vary greatly. The most common technical security measures are:
- control and authentication over access to data;
- regular backup of data;
- regular deletion and disposal of data;
- pseudonymisation and encryption of data;
- firewalls, malware protection and anti-virus applications;
- passwords and encryptions;
- BYOD and remote access security.
You literally need to become the security ninjas to detect and eliminate the threats to your data in advance. However, if the data breach has occurred you should not say “Well, I did my best, folks”. On the contrary, you need to have complete and detail data breach policies and procedures that provide the comprehensive step-by-step actions of your workers and cybersecurity warriors to eliminate the data breach and assess the harm that was caused to the data subjects.
Fines for violation of GDPR are:
- up to 10 mln. EUR, or up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, for violation of certain provisions of GDPR:
- up to 20 mln. EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, for violation of principles, rights of data subject under GDPR etc.
GDPR very clearly emphasizes that non-compliant companies will be punished. Still, a lot of companies do not believe their GDPR sins will be notices. Bad for them.
For example, in 2019 the ICO (British data protection authority) issued a notice to fine the British Airways for 230 mln. USD for data breach occurred in 2018 that affected a whopping 500,000 customers browsing and booking tickets online. According to investigation report, the main reason why the breach has occurred is the poor security arrangements at British Airways.
Another good example is 1&1 Telecom GmbH that was fined 9.5 million Euros by German data protection authority in 2019 for failure to establish adequate technical and organizational measures to safeguard consumer information in its call center environments. The fine was enforced after it was discovered that callers to the firm’s call center could retrieve consumer data by simply providing their name and date of birth. These requirements were deemed insufficient for authentication and protection of consumer information as required by article 32 of the GDPR.
GDPR did a great job for regulatory authorities and a terrible gift for companies by not clearly identifying what technical and organizational measures should be applied by the company and in what cases they should be applied.
Hence, 90% of success in this question will depend on the good faith of yours and your tech and security specialists. We do not recommend you to save on implementation of the cybersecurity and data security measures, rather on the contrary.
Always keep in mind that persistent monitoring, maintenance and development, e.g. regular reviews and tests of software to uncover vulnerabilities of the systems supporting the processing of data is one of the most important keys to data security success.
Don’t be lazy – be compliant.