GDPR and cyber-security: An opportunity that cannot be ignored
GDPR and cyber-security: An opportunity that cannot be ignored
A new dawn in data protection is rising in the EU. This is the case due to the introduction of the General Data Protection Regulation (GDPR) that will become binding and directly applicable in all EU Member States on 25 May 2018. 

This important legislative act imposes various obligations on “data controllers” and “data processors”. They can be persons and organisations, including businesses, handling the personal data of “data subjects”, or in other words identified or identifiable individuals, living in the EU. Data controllers determine the purposes and means of the processing of personal data while data processors process this data on behalf of controllers. In this regard, it is irrelevant where the actual processing takes place. Importantly, the GDPR even applies to non-EU based persons and entities that process personal data of EU data subjects when they offer goods and services to these people or monitor their behaviour in the EU. To avoid financial penalties or court proceedings, data controllers and processors need to comply with the GDPR and the major part of this compliance concerns data security arrangements. 

One of the essential data protection principles laid down in the GDPR specifies that personal data must be processed in a manner ensuring an appropriate level of security. It means that a variety of not only technical but also organisational measures are to be taken, such as those aimed at the protection against unauthorised or unlawful processing and accidental loss, destruction or damage of data. Data controllers and processors are required to carefully think about the ways to effectively secure personal data and take all necessary steps in this respect to prevent possible infringements of the Regulation. They are expected to make a risk assessment by evaluating risks that might occur during the processing of personal data and mitigate them by implementing technical and organisational measures. 

Depending on a particular scenario, it is necessary – among other things – to use encryption and pseudonymisation of personal data, adopt instruments for restoring the availability and access to this data in case of a physical or technical incident and create processes for evaluating the effectiveness of data security measures. Taking such measures, data controllers and processors must pay attention to the state of the art and the costs of implementing them and consider these aspects in relation to the nature of the personal data in question, its processing and the identified risks.

The GDPR states that the above-mentioned risks can be accidental or unlawful destruction, loss and alteration of personal data. In addition, a reference is made to unauthorised disclosure of personal data that is processed or access to it, which can lead to physical, material or non-material damage. When a risk materialises and a personal data breach occurs, a data controller is required to notify the competent supervisory authority without undue delay and within 72 hours of discovering a breach when it is feasible. However, if a controller is able to demonstrate that a breach is not likely to lead to a risk to the rights and freedoms of individuals, the notification of this breach can be avoided. A data processor operating on behalf of a controller must notify this controller of a possible personal data breach. 

Some threats to personal data can fall under the category of high risks to the rights and freedoms of individuals, which trigger additional obligations of data controllers. Indications for a high risk could be the processing of sensitive personal data and data regarding vulnerable data subjects, systematic monitoring and automated decision-making with legal or similar effects. When there is indeed a high risk posed by the processing, a data controller is obliged to act in accordance with the relevant GDPR requirements: the supervisory authority must be consulted before engaging in the processing, a mandatory data protection impact assessment must be carried out and data subjects must be informed about a personal data breach if it takes place.

With the GDPR just around the corner, data controllers and processors should become aware of their duties and devote significant attention to the cyber-security of their operations. This is undoubtedly a great challenge but it cannot be left undone: all individuals and organisations dealing with personal data must ensure that they are compliant with the new data protection regime. The risk of not being compliant is simply too great.

Contributed by Dr E. Moyakine, postdoctoral research fellow at the Security, Technology & e-Privacy (STeP) Research Group from the University of Groningen (RUG) and lead educator on Understanding the General Data Protection Regulation course on the FutureLearn platform.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.