The ‘integrity and confidentiality’ principle of the GDPR – also known as the security principle – requires that you have appropriate security measures in place to protect the personal data you hold. In terms of data security, the central obligation under the GDPR is “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, … [to] implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
The GDPR is not prescriptive as to what this means and there is no “one size fits all” solution – the GDPR takes a risk-based approach. It says that these measures may include pseudonymisation and encryption of personal data, and implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Pseudonymised data (for example, replacing names with a number) remains subject to the GDPR, but is a good technique for securing the data, for example, when sharing it with others. On the other hand, the GDPR makes clear that data protection laws do not apply to anonymised information (information which does not relate to an identifiable person). The GDPR does not go into any detail on how to anonymise data and the organisations often refer to personal data as having been ‘anonymised’ when, in fact, this is not the case. This presents a risk that you disregard the terms of the GDPR in the mistaken belief that you are not processing personal data. The ICO issued a code on anonymisation under the old Data Protection Act. In 2020, we can expect an update to this code.
Encryption is a key tool for data security. As this is an established, widely-deployed technology, failing to encrypt data in transit or at rest risks being in breach of the security principle and could lead to fines if the data is compromised.
On the other hand, in the event of a data breach where the data had been effectively encrypted, there would be no requirement to notify data subjects of the breach as there would be no risk to data subjects as the data was “unintelligible”.
However, the biggest causes of data breaches are relatively unsophisticated issues such as data being sent to the wrong recipient and email users falling for a phishing attack. While there are effective technologies that can help prevent these sort of errors, employee awareness and training programmes will go a long way to protect against them, and are an important part of the “accountability” principle (see above Accountability – sounds good, but what does it actually mean?).