What are the GDPR’s rules on security?
Article 5.1(f) states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. This is, in effect, the Regulation’s security principle.
Article 32 sets out rules on the security of processing. Examples of appropriate technical and organisational measures include:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.
When choosing the security measures to implement, data controllers and processors must take account of the risks involved in processing – a risk assessment or DPIA (data protection impact assessment) will help you determine which measures are appropriate. Conducting DPIAs is good practice even where the risk is initially perceived as low, as your assessment may reveal risks you had not considered.
Find out more about meeting the GDPR’s security requirements
What are the GDPR’s data processing principles?
Unlike the Data Protection Act 1998’s eight data protection principles, the GDPR has six data processing principles. Personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Find out more about GDPR compliance
What lawful bases for processing should we use, and do we always need consent?
Processing is lawful only if, and to the extent that, one of the following applies:
- The data subject has given their unambiguous consent to the processing of their personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child. (This basis does not apply to processing carried out by public authorities in the performance of their tasks.)
You do not need consent if you rely on one of the other bases for processing.
In fact, consent is arguably the weakest lawful basis for processing because it can be withdrawn at any time. When consent is withdrawn, your organisation will be obliged to erase the individual’s data if they request you to – unless you can demonstrate a lawful reason to retain it.
It is therefore always worth determining whether another lawful basis for processing can apply.
In many cases, organisations will be able to rely on ‘legitimate interests’. As the most flexible of the six lawful bases for processing, it could theoretically apply to any type of processing carried out for any reasonable purpose, although the onus will be on you to balance your legitimate interests against the interests, rights and freedoms of the data subjects.
Whichever lawful basis for processing you deem appropriate for each processing activity, your organisation must keep a record of it.
Find out more about GDPR compliance
What rights do individuals (data subjects) have under the GDPR?
Data subjects have the following rights relating to how their personal data is processed:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision-making and profiling.
Find out more about data subjects’ rights
Does my organisation need to register under the GDPR?
Every organisation or sole trader that processes personal data must register with the ICO (Information Commissioner’s Office) – unless all the processing they carry out is exempt – and pay an annual fee.
The fee you pay depends on your size and turnover:
- Tier 1: micro organisations (with a maximum annual turnover of £632,000 or no more than 10 employees) must pay £40 per year.
- Tier 2: small and medium-sized organisations (with a maximum annual turnover of £36 million or no more than 250 employees) must pay £60 per year.
- Tier 3: large organisations (those that do not meet the criteria for tiers 1 or 2) must pay £2,900.
Some exemptions apply. For more information, read our blog Data protection fee: how much must data controllers pay to register with the ICO?
How can ISO 27001 help me comply with the GDPR?
ISO 27001 is the international standard that sets out the specifications for a best-practice ISMS (information security management system) – a risk-based approach to information security that encompasses people, processes and technology. This broad approach is fundamental to processing data in line with the GDPR; the vast majority of data breaches reported to the ICO (Information Commissioner’s Office) stem from human error.
Find out more about how ISO 27001 can help you comply with the GDPR
Why are risk assessments essential for GDPR compliance and how do you perform them?
The GDPR doesn’t prescribe the security controls you should implement. Instead, it requires them to be “appropriate” to the risks presented by processing. Regular information security risk assessments will help ensure that you implement only those controls that are relevant (and, consequently, cost-effective).
A good information security risk assessment should follow five stages:
1. Establish a risk assessment framework:
There are many formal methodologies available, but whichever one you choose, the process should be objective, transparent and auditable.
2. Identify risks
Identify all the events that might compromise the security of personal data as you process it. Developing a list of information assets is a good place to start. A data flow audit helps identify the relevant information assets, such as hard-copy information, electronic files and removable media.
3. Analyse risks
Identify the threats and vulnerabilities that could apply to each information asset. (A vulnerability is something that is part of the asset, while a threat is external to the asset.)
4. Evaluate risks
Calculate where each risk sits on your risk scale and whether any fall outside your predetermined levels of acceptable risk. This should identify your greatest risks, so you can prioritise which ones to address first.
5. Select risk management options
Four risk management options are available to reduce each risk to an acceptable level:
- Avoid – end the activity or circumstance causing the risk.
- Modify – change the risk level, typically by implementing security controls that reduce likelihood or impact.
- Share – share the risk, usually by outsourcing or taking out insurance.
- Retain – if the risk falls within the established risk acceptance criteria, you may choose to accept it and do nothing.
Find out more about information security risk assessments
When processing is likely to result in a high risk to the rights and freedoms of data subjects, a DPIA (data protection impact assessment) is mandatory. DPIAs are a type of risk assessment that identify the risks affecting the security of personal data and work out their likely effects.
Article 35 states that a DPIA is required in the case of:
- Automated decision-making, including profiling, that could significantly affect data subjects;
- Large-scale processing of special categories of data (relating to race or ethnicity, political opinions, health, sexuality, etc.), or personal data relating to criminal convictions and offences; and
- Systematic large-scale monitoring of public areas.
Find out more about DPIAs under the GDPR