Monthly Archive: October 2019

Resolving Tensions between GDPR Security Obligations and Business Needs

  • GDPR
  • October 28, 2019
  • 0

Further to the adoption of the GDPR, and as businesses are rolling out new tools and mechanisms to carry out operations, the question arises often whether these operations are GDPR compliant.  Does access to systems that contain personal data have to be verified by two-factor authentication?  Do customer databases always have to be pseudonymised?  Do drives have to be permanently encrypted?

The obligations contained in the GDPR seemingly set a high bar for businesses to put in place compliant security measures.  However, the guidance papers issued by ENISA (“Handbook on Security of Personal Data Processing”, December 2017), the French data protection authority (CNIL) (“Security of Personal Data”, 2018) and the Article 29 Working Party (“Guidelines on DPIA”, October 2017) shed some light on the minimum security measures that are expected from businesses when they handle personal data in general, sensitive personal data or data of a highly personal nature. 

  • Common errors committed when assessing and remedying security risks

When evaluating risks to personal data or systems, companies tend to assume that the absence of a security measure constitutes a valid parameter to determine risk, regardless of whether or not the measure in question is actually necessary to address a risk.  Accordingly, the risk levels are possibly flawed or skewed. 

Furthermore, because the absence of a security measure is often found by companies to constitute a “risk”, it will always have to be “fixed” by implementing a security measure, regardless of the actual risk level.  For example, the absence of pseudonymised or encrypted personal data will lead companies to think that they need to implement both pseudonymisation and encryption measures, even if risk scores and the size of the personal data at risk are low. 

  • The challenge of evaluating risks and implementing appropriate security measures

Risks should be identified and measured as the likelihood of materialisation of a threat against the impact of such threat on privacy.  ENISA, the CNIL and the EU data protection authorities refer to the following sequential steps that are necessary to carry out an assessment and recommendation on security of personal data:

  • Step 1: Defining the processing operation (e.g., understanding the data processing operation, the kinds of personal data processed).
  • Step 2: Understanding and evaluating the impact (e.g., minor inconveniences if disclosure, or major, significant and irreversible consequences).
  • Step 3: Defining the possible threats (e.g., data loss, leaks, broad accessibility, etc.).
  • Step 4: Evaluating risks, measuring threat levels against impact levels, e.g.:
  • Step 5: Adopting the appropriate security measures to address the risks.

As can be seen, particularly in Steps 4 and 5, every security measure should address a risk, but the absence of a security measure does not in itself represent an issue, unless a risk is exposed and not addressed. 

  • Finding the appropriate security measure to address risks

The question then becomes, what security measures should be adopted by entities in order to address risks? 

If risk levels are based on (a) the threat score and (b) the number of personal data infringement score, companies can opt to rely on this data to filter and focus on the higher-risk scores (i.e., larger amounts of personal data, potentially sensitive, being processed and subject to high levels of threat), and apply the general rules indicated by ENISA or CNIL. 

For example, if the number of personal data infringement score (b) assigned to a certain system is low, then the absence of certain security measures should not be an obstacle to address that risk through other less onerous measures. 

By contrast, there might be a need to implement a security measure if it is necessary to address a (high) risk.  For example, if the level of risk is high, then one might need to implement appropriate (and even, to a certain extent, overlapping) security measures to ensure that the high level of risk is addressed.

ENISA and CNIL have provided the following categorisation of risk levels for the following types of personal data processes:

  • Low-risk (low threat and low impact):
    • Marketing and advertising information (e.g., contact information such as name, postal address, telephone number, email).
    • Contact details of B2B suppliers of services and goods (e.g., first and last name, contact information, tax and banking information (for suppliers)).
  • Medium-risk (low/medium threat and low/medium impact):
    • Payroll processing information (e.g., social security number, taxation identifiers, date of employment, salary information).
    • Recruitment data (e.g., academic education and qualifications, working experience, further professional or academic training , family status, first and last name, address, telephone numbers, date of birth, interview notes/report).
    • Employee evaluation information (e.g., position within the SME, date of employment, employment history, technical skills, knowledge and behaviour).
    • E-learning platform information (e.g., date of birth, date of admission, selected courses, evaluation results, grades).
  • High-risk (medium/high threat and medium/high impact):
    • Health services data (e.g., social insurance number, medical examination results, pathologies, allergies, diagnosis and cure schemas, related administrative and financial information).

As can be seen, only in very specific data processes might the systems be exposed to high risks.  In other cases which might concern personal data such as salary information or education, the level of risk is medium or even low.  This will have a bearing on the security measures that are necessary to address each purpose.

Data Protection Duplicities and Comparison

A Snapshot of Data Protection Compliance Around the World

Along with the EU’s GDPR, many other jurisdictions have caught up with their privacy legislation.  This effort has led to a patchwork of privacy and data protection laws that multinationals and companies that operate worldwide have to comply with.  In our experience, companies’ main concerns focus on the following topics, which are subject to different approaches in the main jurisdictions around the world. 

1. Consent

An analysis of the different regulatory requirements to process personal data in various jurisdictions shows that there is an appreciable overlap in the legal bases that companies may rely on to process personal data. 

In particular, numerous jurisdictions consider ‘consent’ as a valid legal basis (or, even, the standard basis) to enable companies to process personal data. 

However, also in these jurisdictions, the concept of valid ‘consent’ is shallow.  It does not enable data subjects to provide genuine informed and free consent.  In a way, this is what allows companies to rely on consent to cover a wide array of data processes in contexts where such ‘consent’ may not have been given genuinely freely (e.g., if employees give consent, or if users need to give consent in order to be able to receive a service). 

Other jurisdictions, such as the EU, have adopted a more sophisticated approach towards ‘consent’.  This is only compatible with the availability of other legal bases (e.g., legitimate interests, contract performance) that allow companies to process data without the data subjects’ free and informed consent.  For example, only this allows companies to process data fairly and with a right legal basis, such as the processing of candidate or employee data).

Companies should therefore take account of the different regulatory specificities in the different jurisdictions worldwide, and should adapt their processes and legal bases in order to ensure that each collection and processing of personal data is compliant in each jurisdiction. 

2. Data breach notifications

Obligations to report data breaches have been increasingly imposed by legislation around the world. 

In May 2018, the newly applicable GDPR imposed across the EU the obligation to report data breaches.  Until then, data breach notification obligations existed in some Member States (e.g., Netherlands, which included incidents not qualifying as data breaches).

Also in 2018, Alabama was the last State of the United States that established a data breach notification obligation for companies operating or processing data in its territory.

When an incident involving personal data occurs, several questions may arise regarding whether the incident qualifies as a reportable data breach, and whether the obligation to report is triggered.  Companies should adapt their data breach notification policies and procedures in order to ensure that any incident is assessed properly, subject to the laws of those jurisdictions that may be applicable. 

Finally, even within one jurisdiction, companies should also be aware of sector-specific legislation that may warrant more developed disclosures in addition to general data breach reporting requirements.  For example, in the EU, specific disclosure obligations exist for of data breaches of telecommunication providers (e-Privacy Directive), security breaches and integrity losses of trust service providers (eIDAS Regulation), and incidents having a significant impact on the continuity of the ‘essential services’ (NIS Directive). 

3. Data transfers

Nowadays, business models are increasingly relying on globalisation to grow, which implies the use of cross-border data transfer. The latter has made possible that consumers around the world can access a wider range of goods and services, regardless of where they are located.

There are still some jurisdictions around the globe that have not established any restriction for their cross-border transfer of personal data.  However, numerous countries increasingly foresee that data can only be exported provided that the country of destination provides an adequate level of protection to the data. 

The EU has raised as the jurisdiction of reference concerning the selection of countries that confer an adequate level of protection to personal data.  Some countries, like Colombia, even refer to this selection in order to confirm that transfers to these jurisdictions satisfy an adequate level of protection. 

Some countries refer to alternative means in order to validate data transfers, such as “consent”.  As discussed above, this is however not an appropriate means to legalize data transfers where a lack of consent is not possible or cannot be honoured. 

Other countries have imitated the EU’s approach of publishing standard contract clauses to transfer personal data (e.g., Argentina).  Furthermore, data processing agreements may be required for transfers to processors (e.g., Colombia). 

Companies are encouraged to map out their data transfers and to establish the best framework for the transfer of data among subsidiaries. 

4. Data subject rights

Today, most jurisdictions recognize basic rights, such as to obtain information, to correct data or to opt-out from/object to certain processes.

The right to erasure has been developed in the last years in order to apply to any type of process or database, also online.  However, there are increasing questions regarding the actual substantive and geographic scope of that right, which will be resolved by the EU Courts in the coming years. 

By contrast, certain other rights are less common.  For example, the right to data portability in the EU is one that may be replicated around the world in the near future, although its actual implementation and application by companies needs to be determined or explained by authorities. 

Formalistically speaking, the GDPR requires companies to respond to exercised data subjects rights within a given period, and to fulfil certain conditions.  Other similar rules are present in other countries, but the vast majority of jurisdictions do not set out specific time limits and procedures to comply with the rights.  Companies will therefore have to ensure that they address data subject rights adequately and timely. 

Blog Intro – EU Data Protection

The authors of this blog met two years ago in the context of the preparation of the GDPR-compliance package of a multinational corporation.  In addition to overseeing the legal and technical aspects of the compliance project, the authors expanded their expertise while facing numerous challenges from a security and a data protection standpoint. 

Over one year has spanned since the application of the GDPR, and the awareness and enforcement of its provisions has increased within the EU as well as regulatory developments have multiplied outside of the EU.  The implications of this legislation on companies are significant, regardless of their size or sector of focus. 

In this blog, we aim to comment and give our views on the latest developments in the application of EU privacy rules, including the GDPR and e-privacy regulations.  From both a legal and a technical perspective, we will provide our broad analysis of the rules that can be distilled from regulators guidance and precedent.  We will provide companies and practitioners with useful tips and trends to watch out for in the privacy and cybersecurity space. 

We look forward to interacting with the readers of this blog, and to share and exchange views on data protection matters by encouraging the legal and scientific discussion. 

Subscribe to get news of latest posts

Name *

Email *

Categories