Security of Processing

Question 1

Potential fines for data breaches

Answer 1

20,000,000 Euros or 4% of the total worldwide annual turnover, whichever is higher

Question 2

What does Article 32 of GDPR say about security?

Answer 2

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk

Question 3

What should controllers consider when determining security measures?

Answer 3

The most cutting-edge technology is not always the most secure; controllers should reflect upon the consensus of security professionals

Should not necessarily choose the most expensive option, but whichever option is chosen should show demonstrably good management decisions

Question 4

What are some results that would be considered appropriate technical and organizational measures under GDPR?

Answer 4

Controls that bring about pseudonymization, encryption, confidentiality, integrity, resilience

Question 5

What are some suggested actions that may ensure a level of security appropriate to the risk?

Answer 5

Pseudonymization and encryption of personal data

Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

A process for regularly testing, assessing and evaluating the security of processing

Question 6

Does the GDPR mandate requirements for security programs? What does it suggest?

Answer 6

GDPR does not mandate specific requirements for controllers and processors, but suggests security measures to have in place that consider:

• nature of the data
• context of the processing
• purpose of the processing
• scope of the processing

Also account for state of the art and cost of implementation

Question 7

What are security controls and what are their attributes?

Answer 7

Processes used to ensure the security of an information system and the system must provide prompt notification if the system fails

Attributes (CIAR):

1) Confidentiality: individuals, entities, systems or applications access data on a need-to-know basis
2) Integrity: controls are in place to ensure data is accurate and complete
3) Availability: data is accessible when needed for a business activity
4) Resilience: data is able to withstand and recover from errors or threats

Question 8

What should a holistic approach to security consider?

Answer 8

Management and worker buy in: organizations should foster a culture of risk awareness and respect for personal data throughout the entire employment lifecycle (from onboarding through termination)

A policy framework: a repository for an organization’s rules for confidentiality and security. It contains security objectives and scope; security principles, standards and compliance requirements; and roles and responsibilities.

Physical environment: may include sophisticated entry control systems, video surveillance, and lock-and-key and clean-desk policies

Information Technology: protection mechanisms such as encryption, antivirus and anti-spam technology, firewalls, identity and access management, incident detection, data loss prevention, two-factor authentication, IP log management, and regular security code peer review. GDPR specifically suggests implementation of pseudonymisation and encryption.

Incident detection and response: regular testing of technical and organizational measures assesses and evaluates their effectiveness and helps ensure the ability to restore availability and access to personal data in a timely manner if lost

Question 9

Article 28 of GDPR

Answer 9

The controller shall only use processors providing sufficient guarantees to:
-implement appropriate technical and organizational measures in such a manner that processing will meet requirements of GDPR and ensure the protection of the data subject’s rights

Sufficient guarantees=a contract and also assurance mechanisms, such as vetting the supplier before and after creating a contract

Question 10

What are some challenges with vendor management?

Answer 10

• The extent to which the controller can rely on the processor’s reliability
• Complex contract provisions
• Contracts between parties with unequal bargaining power
• Cloud computing

Question 11

Processor contract due-diligence and pre-contractual considerations

Answer 11

To ensure processors provide appropriate security, controllers should exercise pre-contractual due diligence through:

• RFIs and RFQs
• site visits
• audit observations

Pre-contractual considerations:

• processor’s data protection knowledge
• recent high-profile breaches
• recent and current investigations
• accreditations
• subprocessors
• processor’s policy framework

Question 12

What should a contract with a processor include?

Answer 12

• subject matter, duration, and nature of the processing
• nature and purpose of processing
• type of personal data
• categories of data subjects
• obligations and rights of the controller

Question 13

Contract stipulations for a processor according to GDPR

Answer 13

The processor will:

• process the personal data only on documented instructions from the controller unless required by EU or member state law
• ensure that authorized individuals to process the personal data have committed themselves to confidentiality
• assist the controller in fulfilling its obligation to respond to requests for exercising data subjects’ rights
• assist the controller in ensuring compliance with obligations related to security
• implement appropriate technical and organizational measures as set out in Article 32
• make available to controller all information necessary to demonstrate compliance with processor rules
• delete or return all personal data at the end of the processing services or if instructed by the controller
• contribute to audits by the controller or another auditor chosen by the controller and immediately inform the controller if it believes any instruction infringes the GDPR or member state law

Question 13

Contract stipulations for a processor according to GDPR

Answer 13

The processor will:

• process the personal data only on documented instructions from the controller unless required by EU or member state law
• ensure that authorized individuals to process the personal data have committed themselves to confidentiality
• assist the controller in fulfilling its obligation to respond to requests for exercising data subjects’ rights
• assist the controller in ensuring compliance with obligations related to security
• implement appropriate technical and organizational measures as set out in Article 32
• make available to controller all information necessary to demonstrate compliance with processor rules
• delete or return all personal data at the end of the processing services or if instructed by the controller
• contribute to audits by the controller or another auditor chosen by the controller and immediately inform the controller if it believes any instruction infringes the GDPR or member state law

Question 14

Engaging subprocessors

Answer 14

The processor shall not engage sub-processors without prior written authorization of the controller

The same data obligations must be imposed on the sub-processor with a contract, but the original processor is liable if the subprocessor fails to fulfil its obligations

Question 15

How does the GDPR define personal data breach?

Answer 15

Personal Data Breach:
-breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed

Question 16

Controller/processor breach notification obligations

Answer 16

Processor must inform the controller (processor–>controller)

Controller –> supervisory authority

Controller –> Data subjects

Question 17

When must a controller notify a supervisory authority of a data breach?

Answer 17

If the breach is likely to result in a risk to the rights and freedoms of natural persons.

Controller must notify without undue delay and within 72 hours of becoming aware of the breach.

Question 18

When does a controller “become aware” that a breach has occurred?

Answer 18

When the controller has a reasonable degree certainty that a security incident has occurred that led to personal data being compromised

Question 19

What should a communication with a supervisory authority include in the case of a data breach?

Answer 19

Categories of data subjects

Approximate number of data subjects and records

Contact info of the controller/DPO

Consequences of the breach

Measures that have or will be taken in response to the breach

Question 20

When should a controller notify data subjects of a breach?

Answer 20

Without undue delay and in clear and plain language if the breach is likely to result in risks to the rights and freedoms of those individuals

Question 21

When do controllers not have to notify data subjects of a breach?

Answer 21

If there was prior implementation of appropriate technical and organizational measures that rendered the personal data unintelligible or encrypted

Post-breach actions greatly reduce the risk to the rights and freedoms of the data subject

Individual notice requires disproportionate effort, but equally effective public notification is still required

Question 22

What is the NIS Directive?

Answer 22

Directive on Security of Network and Information Systems

Went into force in May 2018

First EU-wide cybersecurity law

Not specifically concerned with personal data, but it is aligned with GDPR and indirectly bolsters the security of personal data within organizations that are regulated by the Directive.

3 focuses:

1) National capabilities
2) Cross-border collaboration
3) National supervision of critical sectors