The emergence of the new General Data Protection Regulation (hereinafter GDPR) has caused a general concern that can be summarized in a single question:
What should I do to comply with the GDPR?
The answer to this question can be found in the infographics published by the Spanish Data Protection Agency (AEPD), both for the private sector and the public sector. These infographics show road maps for the correct adaptation to the GDPR in which, as a common point, the obligation to implement technical and organizational measures can be seen based on the results obtained from a risk analysis.
This obligation is not unfounded, as part of Article 32 of the Regulation states that:
“…the data processor and controller shall apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which, where appropriate, shall include, among others:
- the pseudonymization and encryption of personal data;
- the ability to guarantee the permanent confidentiality, integrity, availability and resilience of processing systems and services…”
This requirement causes a paradigm shift when it comes to adapting to data protection regulations, as it increases the importance given to technology, given that it is becoming increasingly present in our lives and, above all, our work.
With the old Organic Law on the Protection of Personal Data (hereinafter LOPD), the security measures reflected in its Development Regulation (hereinafter RDLOPD) should be implemented based on the data processed, regardless of the technology used. Now, with the GDPR, the security measures that are considered necessary should be implemented based on the data processed and the systems with which they are processed.
Therefore, we must be clear and understand that a project of adaptation to the GDPR implies, in addition to adapting privacy policies, clauses and procedures, adapt the technology available to carry out data processing, so as to reduce the likelihood of suffering a security incident that affects personal data or, as the GDPR states, a personal data security breach.
Such is the importance that the GDPR places on data security breaches, in articles 33 and 34 therein there are some guidelines to follow for carrying out a notification, both to the AEPD and to the interested party, in the event of suffering one. It should be noted that, thanks to this new requirement, cases of different companies are coming to light in which security breaches have arisen as a result of a vulnerability in their systems.
From the experience gained in the execution of projects, and following the indications of the Spanish Data Protection Agency, a good practice to adapt to the GDPR, as far as technical and organizational measures are concerned, is to address the recommendations of a policy security framework such as ISO 27002. Fulfilling any of these norms does not entail the complete adaptation to the GDPR, but it means that the necessary security measures will be available to reduce the probability of suffering a security incident concerning personal data.
Linking the importance of the new Regulation to the violation of the security of personal data with cases published in the media, we can deduce that the management of technical vulnerabilities is an important factor when it comes to reducing the likelihood of a violation arising.
Furthermore, following the thread of complying with a standard such as ISO27002 as a good practice within an adaptation to the GDPR, this statement is reinforced given that one of the controls included in this standard is called “12.6 Management of technical vulnerabilities”, therefore corroborating that technical vulnerabilities are an important aspect in information security and, therefore, in personal data protection.
At the same time, we must bear in mind the new fine framework defined in the GDPR, which indicates the different penalties that could be applied depending on the article that is violated. For the case that concerns us, Article 32, the penalty would range between €10,000,000 and 2% of the total annual turnover of the previous financial year, with whichever is greater having to be paid.
In short, the aim of this post is to provide the importance it deserves to managing technical vulnerabilities in order to adapt to the GDPR, starting with the requirement to implement the necessary technical and organizational measures and, in addition, the possibility of being fined in the event of a violation of personal data security.