At some point in most of my GDPR training sessions I point out that Article 32 is my favourite article of the Regulation. Why do I do this? Partly because I like to see the reaction on people’s faces and … well … partly because it is my favourite article!
Article 32 Explained
So here it is (most of it) in all its glory:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Before I go any further I’d like to point out that this article specifically places similar obligations on both data controllers and processors; this was not the case under the previous legislation. If you don’t know the difference between controllers and processors keep an eye out for future blogs or sign up for one of our GDPR courses.
It is often said that the GDPR takes a risk-based approach – Article 32 is all about risk. In order to work out what are ‘appropriate technical and organisational measures’ you will need to carry out a risk analysis, taking into account the:
- state of the art
- this doesn’t mean ‘leading edge’, it just means what is ‘at the leading edge of normal’ in your sector and is reliable.
- costs of implementation
- no matter how much you spend, you will not achieve total information security. If you are a small business you will spend less than a large business. You need to dedicate an ‘appropriate’ level of resource.
- nature, scope, context and purposes of processing
- you need to consider what processing you are carrying out, on what data, in what environment (physical, cultural, technical …).
- risk of varying likelihood and severity
- the overall risk associated with processing will depend on the type of personal data breach, the likelihood of each type, and damage which could be suffered by data subjects for each type. Types of data breach include accidental or unlawful destruction, loss or alteration of data or unauthorised disclosure of data. These can have very different consequences – think of what could happen if a hospital’s only copy of a patient’s drug regime was altered or if someone obtained your login details for your online bank account. Think of the seriously dodgy marketing possibilities if someone is known to be suffering from an incurable disease. Don’t forget, the damage here can be physical, financial or psychological.
What about the requirement to implement measures including inter alia as appropriate … ? In case you didn’t learn Latin at school, ‘inter alia’ means ‘among others’. The suggestion here is clearly that you should use all four of the listed measures. If you don’t think you need to use them all, your risk analysis should argue that the balance between your risk to data subjects, your availability of resources and your use of alternative measures gives an appropriate level of security without using the prescribed measures. If you can afford to, it may just be simpler to implement the four measures!
So what are these suggested measures?
- For most people encryption is a familiar concept but pseudonymisation is not yet so well known, although it is well known to those carrying out clinical trials. Pseudonymisation serves a similar purpose to encryption, making unauthorised access to data difficult by splitting it into two parts: one is information which allows an individual to be identified and one is the information we want to know about them. If someone obtains just one part of the data it is meaningless, they need both parts in order to restore the original data.
- Confidentiality, integrity, availability and resilience are standard information security terms:
- Confidentiality: information should only be available to people or systems authorised to access it
- Integrity: information should be protected from unauthorised alteration or corruption
- Availability: information should be available as and when needed. Timescales will depend on your use of the data.
- Resilience: if your information system fails, can it be restored in a reasonable timescale.
- If you have a ‘physical or technical incident’, such as an internet cable being damaged by a digger digging up the pavement in front of your office can you restore availability and access to data in a ‘timely manner’? You may need to consider onsite backups or Wi-Fi access if your bandwidth needs are not high.
- A process for checking the effectiveness of technical and organisational measures is known as penetration testing (or pen testing). You pay someone to try and hack into your system to either demonstrate security or flag up weaknesses which can then be addressed.
Your risk analysis doesn’t have to be perfect, but when you have a significant data breach the Information Commissioner’s Office is likely to want to see how you have justified the security measures you have in place. If you have nothing you are likely to be in difficulties. Don’t forget, the requirement here is not to prevent personal data breaches, but to have measures in place to ensure an appropriate level of security. If you have appropriate measures, even if they fail, you are not in breach of the GDPR.