The GDPR risk-based approach and data security

11th February 2019 by Diogo Duarte

The European General Data Protection Regulation (GDPR) lays down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data. In a broader sense, the GDPR has standardized data protection laws across European Union Member-States, by imposing strict rules on controlling and processing personally identifiable information (PII).

The GDPR’s embraces a risk-based approach to data protection. Under its comprehensive data protection regime, it encourages any organization that processes personal data to adopt the appropriate security measures to the level of risk of their data-processing activities.

Article 32 (1) GDPR includes a brief reference to a few security measures, such as:
a) pseudonymisation and encryption of personal data,
b) the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services,
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

However, there isn’t a specific compliance checklist of controls to be used by the organizations (“controllers” and/or “processors”). Instead, the EU regulation has opted to include a generic rule in its text, according to which organizations must implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. This generic rule is complemented by article 32 (2) GDPR, which establishes that, when assessing the “appropriate level of security”, organizations shall take the risks presented by processing of personal data in particular consideration. In other words, the GDPR embodies a risk-based approach that includes, at first, a risk-based view of security; and the implementation of a risk-based program/framework, in the following stage.

As mentioned in article 32 (1) GDPR, when assessing the security of processing, organizations must take into account the “state of the art”. This generic formulation gives flexibility to the law by permitting its adaptation to different cases and contexts over time. Otherwise, the option of laying down a specific process would carry the risk of becoming obsolete considering the rapid development of technology. Thus, considering the current "state of art", a common practice has been observed and implemented among organizations. This practice informs that controllers and processors should assess the risk according to the following rule:

Asset x Vulnerability x Threat = Risk
*Asset – Value of information
**Vulnerability – Degree of security controls
***Threat – Likelihood of a cyber-attack

This simple – but effective – formula requires that priorities and decisions should be established by organizations, after a careful consideration of data sensitivity, system vulnerability and the likelihood of threats. The risk resulting from applying this formula can be divided into the following three categories: high-risk, risk, and low-risk. Each one of these categories obliges organizations to perform a certain set of actions and obligations under the GDPR.

If organizations engage with activities that involve a high risk to the protection personal data, the GDPR imposes heightened requirements on those organizations. In such cases, it may be necessary for organizations to consult the supervisory authority, before processing personal data (Art. 36 GDPR), as well as conduct a Data Protection Impact Assessment (Art. 35 GDPR). This tool determines, in advance, the privacy risks involved in data processing.

For organizations whose activities are not considered "high-risk", an appropriate level of data security should be put in place, considering the risk of those activities. This means that organizations are required to “ensure a level of data security appropriate to the risk” and demonstrate that processing is performed in accordance with the GDPR rules. In this context, organizations are required to adopt risk-based measures for ensuring compliance with the GDPR general obligations set under the chapter IV (articles 24 and following).

The "low-risk" activities don't exempt the organization from complying with GDPR. However, where the risk to data subjects is minimal, organizations may be exempt from certain obligations, such as the obligation to notify authorities of a data breach (Art. 33 (1) GDPR).

The proposed formula is a key element to assess risk, but one must bear in mind that, more than simply factoring risk when deploying security solutions, the GDPR requires a holistic approach, in which organizations should use the risk-based security approach to identify what security controls should be implemented, and where and when they should be applied.

In any case, a strong security approach requires more than the implementation of protective and preventive measures. Organizations must be aware that their security approach needs to be complemented with two other critical components: detection and response measures.

Diogo Duarte

Legal Counsel – LL.M. in International Law