1. Risks analysis.
Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), which repeals Directive 95/46/EC, obliges controllers to adopt the necessary technical and organisational measures to guarantee the security of the data, especially their confidentiality, availability and integrity.
The GDPR does not specify measures to be adopted, leaving it to each controller to assess the risks inherent to the processing and apply measures to mitigate these (taking into account current technical possibilities and the cost of applying the measures), such as reducing the amount of data processing as much as possible, pseudonymisation of data, or data encryption.
In order to draw and roll out de security measures, a risk analysis attached to processing is required. The risk analysis shall be legalized with a document that the controller and the DPO have to keep, at supervisory authority, in case of requested.
In circumstancies provided by GDPR, and according to cases disclosed by supervisory authorities, controller shall legalize, in addition, a data protection impact assessment signed by the functional controller and the UAB DPO.
2. Security measures.
Although the GDPR does not require any specific security measures, it seems appropriate to adopt those contained in Spanish Royal Decree 1720/2007, of 21 December, which enacts the Regulation implementing the Organic Law on the protection of personal data (LOPD):
- Procedure for backing up and recovering data.
- Procedure for confirming the identity of authorised users.
- Access controls.
- Access register.
- Limit to repeated unauthorised access attempts.
- Procedure for assigning and managing passwords, and expiry periods.
- Unintelligible storage of active passwords.
- Management of storage media.
- Designation of a person in charge of coordinating and monitoring the security measures.
- Security procedures in the transmission of data.
3. Breaches of security.
The GDPR requires the supervisory authority and the data subjects to be notified of security breaches that present, or could present, a major risk to the rights and liberties of natural persons, whether these are the owners of the data or third parties.
This notification must be made within 72 hours of the breach occurring or of becoming aware it.
The following are some examples of what is regarded as a security breach:
- Destruction of data.
- Accidental or unlawful loss or alteration of personal data disclosed to third parties.
- Communication of or unauthorised access to data.
- Technical incidents that could compromise the security or the confidentiality of the data.
Risks to the rights and freedoms of data subjects.
The following are some cases in which it is understood that security breaches cause, or could cause, physical, material or immaterial damages to natural persons.
- Loss of control over the data.
- Restrictions of rights.
- Identity theft.
- Financial losses.
- Unauthorised reversal of pseudonymisation.
- Damage to reputation.
- Loss of confidentiality of personal data protected by professional secrecy.
- Any other significant economic or social disadvantage.
To eliminate or minimise the risks or the consequences of security breaches, the controller must adopt the necessary technical and organisational measures, which must include the following.
- Pseudonymisation or encryption of personal data.
- Procedures to guarantee the confidentiality, integrity, availability and permanent resilience of the processing systems and services.
- Ability to restore availability and access to the personal data quickly in the event of a physical or technical incident.
- Procedure for verifying and assessing technical and organisational measures.
Documentation of security breaches.
Controllers must maintain a register of security breaches, which must be at the disposal of the data protection officer and the Catalan Data Protection Authority.
The register of security breaches may be in paper or electronic format. It must contain, at least, the information referred to in Articles 33 and 34 of the GDPR, which can be consulted in Section 3.2 of this document.