Ensuring the Security of Personal Data Processing

There’s just over two months to go until the EU General Data Protection Regulation (GDPR) finally arrives, and we’re busy helping our customers and partners with their preparations for full compliance. This is a once-in-a-generation update for data protection, and provides a significantly more robust framework to protect our personal data in today’s modern, digital world.

This personal data is subject to a variety of “data processing” activities, whether that’s collection via a website, transmission via a network, processing by an employee or storage within a database, amongst many others. It’s the security of this data processing that is addressed within Article 32 of GDPR, and this text is worth us taking a closer look at.

Article 32 requires that Data Controllers and Data Processors implement appropriate “technical and organisational measures” which ensure a level of data security appropriate to the level of risk which is present during the processing of the personal data. This sentence alone comprises several different requirements, which we’ll take a look at in turn.

Firstly, our organisation should have a detailed understanding of the risks involved if we are to effectively implement measures to manage them. For organisations which have ISO27001 certification (the international standard for Information Security Management Systems), Sections 6 and 8 of the standard require that an effective approach to risk management is agreed and implemented. Whether your organisation has ISO27001 certification or not, the Data Protection Impact Assessments required by Article 35 of GDPR will, done well, provide similar visibility of any risks.

Dependent upon the data processing activity, our risk assessments should examine the threats and vulnerabilities associated with our employees, the systems (hardware, software and networks) we use, and any third-party data processors (including cloud service providers) that we may need to share the personal data with. It’s a complex subject to try to address all of this in a single blog, but essential if we are to ensure the confidentiality, integrity and availability of the personal data which is being entrusted to our care.

Using this risk-based approach, Article 32 notes technical and organisational measures are to be implemented.  Let’s look at each of these in turn.

Organisational measures may include:

Technical measures may include:

Article 32 requires that such measures should also be assessed as being “state of the art” and also the costs of their implementation. This suggests that data processing organisations will need to keep abreast of the latest technologies which support best practice in information security and data privacy, whether that relates to data encryption, activity monitoring, behavioural analytics or malware detection. Technical testing for software coding vulnerabilities and weak device configurations is available at a sensible cost, and should be seriously considered by all data processing organisations.

Finally, this Article once again highlights the respective roles of the data controller (who has ultimate responsibility for ensuring that personal data processing is undertaken in accordance with the requirements of GDPR), and the data processor (who undertakes the data controller’s specific data processing instructions on a formal, legal basis). Article 28 reminds controllers that they shall only use processors who can “provide sufficient guarantees to implement appropriate technical and organisational measures” to ensure that the data processing is compliant with GDPR.

The selection and use of demonstrably compliant data processors by a data controller needs to be managed carefully. Contractual obligations should be combined with satisfactory responses to requests for evidence, for example existing security certifications, evidence of personnel training and competencies, visibility of external technical security tests upon applications etc.

In summary, it’s in each of our organisation’s own interests to ensure that personal data processing is both secure and fully compliant with GDPR. Being able to demonstrate this capability is essential if we are to earn the trust and credibility of data subjects, and significantly reduces the risks of the financial penalties that may result.

John Godwin is UKCloud’s Director of Compliance & Information Assurance. As a Certified Data Protection Officer, he is responsible for co-ordinating UKCloud’s preparations for the forthcoming EU General Data Protection Regulation, and is a regular conference and event speaker on information security and data protection matters.