This important legislative act imposes various obligations on “data controllers” and “data processors”. They can be persons and organisations, including businesses, handling the personal data of “data subjects”, or in other words identified or identifiable individuals, living in the EU. Data controllers determine the purposes and means of the processing of personal data while data processors process this data on behalf of controllers. In this regard, it is irrelevant where the actual processing takes place. Importantly, the GDPR even applies to non-EU based persons and entities that process personal data of EU data subjects when they offer goods and services to these people or monitor their behaviour in the EU. To avoid financial penalties or court proceedings, data controllers and processors need to comply with the GDPR and the major part of this compliance concerns data security arrangements.
One of the essential data protection principles laid down in the GDPR specifies that personal data must be processed in a manner ensuring an appropriate level of security. It means that a variety of not only technical but also organisational measures are to be taken, such as those aimed at the protection against unauthorised or unlawful processing and accidental loss, destruction or damage of data. Data controllers and processors are required to carefully think about the ways to effectively secure personal data and take all necessary steps in this respect to prevent possible infringements of the Regulation. They are expected to make a risk assessment by evaluating risks that might occur during the processing of personal data and mitigate them by implementing technical and organisational measures.
Depending on a particular scenario, it is necessary – among other things – to use encryption and pseudonymisation of personal data, adopt instruments for restoring the availability and access to this data in case of a physical or technical incident and create processes for evaluating the effectiveness of data security measures. Taking such measures, data controllers and processors must pay attention to the state of the art and the costs of implementing them and consider these aspects in relation to the nature of the personal data in question, its processing and the identified risks.
The GDPR states that the above-mentioned risks can be accidental or unlawful destruction, loss and alteration of personal data. In addition, a reference is made to unauthorised disclosure of personal data that is processed or access to it, which can lead to physical, material or non-material damage. When a risk materialises and a personal data breach occurs, a data controller is required to notify the competent supervisory authority without undue delay and within 72 hours of discovering a breach when it is feasible. However, if a controller is able to demonstrate that a breach is not likely to lead to a risk to the rights and freedoms of individuals, the notification of this breach can be avoided. A data processor operating on behalf of a controller must notify this controller of a possible personal data breach.
Some threats to personal data can fall under the category of high risks to the rights and freedoms of individuals, which trigger additional obligations of data controllers. Indications for a high risk could be the processing of sensitive personal data and data regarding vulnerable data subjects, systematic monitoring and automated decision-making with legal or similar effects. When there is indeed a high risk posed by the processing, a data controller is obliged to act in accordance with the relevant GDPR requirements: the supervisory authority must be consulted before engaging in the processing, a mandatory data protection impact assessment must be carried out and data subjects must be informed about a personal data breach if it takes place.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.