The General Data Protection Regulation (GDPR) has reinforced the provisions on security of personal data (both in substance and context) and also extended this responsibility directly to data processors. Beyond being a principle (namely a prerequisite) for the processing, security is one of the main elements of controllers’ accountability. This means that compliance cannot be merely formal and based on the implementation of closed checklists, but linked to the “context” where the processing operation takes place and the actual risks.

One of the core obligations for data controllers and processors in GDPR is that of the security of personal data. In particular, according to GDPR security equally covers confidentiality, integrity and availability and should be considered following a risk-based approach: the higher the risk, the more rigorous the measures that the controller or the processor needs to take in order to manage the risk.

Based on GDPR Art.32 provisions, personal data security is strongly risk-based but a personal data security risk management system needs to adapt to the specificities of personal data. Evidently, as a first point, in the context of the risk assessment, the impact needs to be considered towards the individuals (and their rights and freedoms), hence taking a different angle from the classic security risk assessment.

The scale is not necessarily relevant towards this end, e.g. the impact may be high even if the number of affected persons is low. In addition, possible secondary effects may also need to be considered (e.g. when assessing possible impacts of a personal data breach). Moreover, after the evaluation of risks, the risk management process varies from typical security risk management. For example, risk acceptance would not be possible in cases where risks to individuals are concerned. In addition, risk treatment would need to integrate privacy enhancing technologies, e.g. technologies reducing the identifiability of data subjects (and not necessarily qualifying under the “classic” Confidentiality, Integrity, Availability (CIA) triad - protection technologies).

ENISA Publications:

In an effort to support organisations and especially Small and Medium Enterprises (SMEs) in the EU in complying with the GDPR obligations, ENISA proposed a risk-based approach for the adoption of security measures for the protection of personal data: Guidelines for SMEs on the security of personal data processing.

A number of use cases has also been provided in the Handbook on Security of Personal Data Processing, to demonstrate the use of the risk-based approach in practice.

An analysis of the different security measures (and possible implementation options) is also provided in the Study - Reinforcing trust and security in the area of electronic communications and online services. The proposed security measures are based on the ISO 27000 standards family, incorporating also additional controls that are specific to the processing of personal data.

Online Tool

In order to support the practical implementation of the aforementioned ENISA guidance, ENISA also provides an On-line Tool for the Security of Personal Data Processing, which would consolidate and simplify the risk-based adoption of security measures for all interested parties.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information