Security may not be the first word that comes to mind when thinking about GDPR and UK GDPR compliance, but recent matters indicate it should certainly be near the top of any compliance checklist.
Security of personal data is fundamental to every organization, and its significance scales depending on the type of data processing that takes place. Of the penalties issued for data protection infractions across the EU and UK in 2022 so far, over 70 include security, which is almost 20% of the total fines issued. Specifically, these fines were issued due to a breach of Article 32 of the GDPR/UK GDPR: failing to have appropriate technical and organizational measures in place to protect personal data. A breach of Article 32 of the GDPR or UK GDPR technically only attracts the “standard maximum” fine of €10/£8.7 million or 2% of global annual turnover, however the offence is often coupled with other transgressions, which has led to fines over €20 million.
We only have a few years of data relating to fines issued under the GDPR and UK GDPR, but it is already clear that in terms of quantum at least that the current trend is on an upward trajectory, and a couple of recent matters relating to security and enforcement are noteworthy.
In the UK, the ICO has released its three-year strategic plan, “ICO25”, which includes a focus on the need to “safeguard and empower people, particularly the most vulnerable, by upholding our information rights”. Further information is yet to be provided, however the ICO explains that this will be achieved by improving the supervision of cyber security of digital service providers and systems.
This focus on security is not just a UK issue, the incoming Australian Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 is set to increase the maximum penalties that can be applied for serious or repeated privacy breaches from the current AUS $2.22 million (~£1.2 million) penalty to whichever is the greater of: (i) AUS $50 million (roughly £28 million); (ii) 3x the value of any benefit obtained through the misuse of information; or (iii) 30% of an organization’s adjusted turnover in the relevant period. In relation to this, Mark Dreyfus, the Attorney-General of Australia, has been quoted as saying the “significant privacy breaches in recent weeks have shown existing safeguards are inadequate” and that Australia “need[s] better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivize”. This dramatic penalty increase shows the seriousness with which data protection, in particular security and safeguards, are being taken.
Returning to the GDPR and UK GDPR, Article 32 does not provide a prescriptive list of exactly what security measures are appropriate for an organization to adopt or how organizations should assess the level of risk that their data processing activities create. However, there are certain measures that all organizations should consider, and the greater the risk created by the processing, then the more likely the safeguard will need to be implemented. These include:
- The pseudonymization and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- The regular testing, assessing and evaluating of the effectiveness of technical and organizational measures for ensuring the security of the processing.
For organizations wondering how to put these measures into effect, the points below may provide a helpful starting point:
- Identify the personal data in the organization’s control. This can be achieved by conducting a data audit, asking what personal data is collected and stored and where and what is it used for; who it is shared with, both internally and externally and who is authorized to access and use it.
- Establish an appropriately experienced team or appoint third-party advisors to assess what appropriate measures might be for the organization’s technical and organizational security measures. Conduct a data protection impact assessment (“DPIA”) and decide what is proportionate. A DPIA considers the nature, scope, context and purpose of processing, as well as how necessary the processing is and if there are additional measures to mitigate any risks to data subjects.
- Consider the use of encryption and pseudonymization, implement access controls including multi-factor authentication, maintain activity logs, provide training to employees about security awareness and ongoing updates, carry out patching and scanning to identify and remediate security issues.
- An incident response plan and data breach notification policy should also be put in place to ensure there are clear processes and procedures to follow when a crisis occurs.
Whether you are a 10-person organization with just one office or a multinational company with locations across the world, it is essential to consider whether you have appropriate measures in place for the type of data processing you undertake. The significance of this to an organization’s operational risk is becoming more material as regulators globally are focusing on data security and tightening their approach to compliance more broadly. The goal is security and the time to act is now!