The United Kingdom General Data Protection Regulation (UK GDPR) continues to be a daily challenge in everyday business. One area where notable difficulties arise is in the realm of technical and organisational measures (TOMs). Unfortunately, these measures are often misunderstood and, in some cases, inadequately implemented.
In this article, we will delve into the individual measures outlined in Art. 32 of the UK GDPR, providing a comprehensive understanding for their correct implementation in an organisation.
The measures of Art. 32 UK GDPR
Before delving into the specifics, it’s important to note that the list of measures in Art. 32 of the UK GDPR is not exhaustive. Depending on the specific circumstances, additional measures may be necessary to ensure proper data processing security. However, the examples provided by the legislator can be considered a minimum requirement for consideration. Therefore, a detailed assessment should address each individual measure, even if it is only to clarify that a particular measure may not be relevant in a specific case, but should not be overlooked.
Pseudonymisation: balancing identification and privacy
Pseudonymisation, as defined in Art. 4 (5) UK GDPR, is a critical measure. It ensures that during data processing, individual details enabling the identification of the data subject are absent. These identifying details must be removed from the processed data before any processing takes place. Moreover, it’s imperative to prevent the recombination of pseudonymous data with the information necessary for identification. De-pseudonymisation should not be easily achievable.
It’s important to distinguish pseudonymisation from anonymisation. While anonymous data cannot be linked to a person, pseudonymous data still allows for identification through additional information, albeit with limitations. In both cases, it’s often overlooked that simply removing unique identifiers like names may not suffice. Other information, whether in isolation or in combination with additional data, that allows for unique identification, must also be eliminated.
Encryption: protecting data access
Encryption involves the use of cryptographic techniques to safeguard personal data from unauthorised access. This protection must be seamlessly maintained for both data at rest and during transmission. The encryption methods employed must be robust and secure. Any keys utilised should be managed securely.
Confidentiality: safeguarding against unauthorised disclosure
Confidentiality, a cornerstone of information security, focuses on preventing unauthorised disclosure of information. Measures to achieve this goal encompass physical security (access control), logical protection against unauthorised access to systems, applications, and data (access control), ensuring that data is exclusively transmitted to authorised parties (disclosure control), and the application of encryption as an appropriate method.
For data controllers, this entails the establishment of secure working zones, authorisation concepts, and controlled information distribution based on clear classifications. Additionally, simple measures like installing privacy screens, setting up systems, enforcing a clean desk policy, and implementing automatic screen locks and logouts fall within this domain.
Integrity: preserving data accuracy and authenticity
Integrity measures safeguard the authenticity of data, ensuring their accuracy, completeness, and protection from unauthorised alterations. Input control, which involves logging who accessed and processed what data and how, is crucial to trace changes. Additionally, techniques like signatures and checksums can be utilised to verify that information remains unaltered.
Availability: ensuring data accessibility
Availability, a longstanding concept in information security, remains unchanged under the UK GDPR. However, in practice, measures in this area are often inadequately described. The focus is often too narrow, concentrating solely on a few measures that exclusively protect central systems. On the other hand, measures that do not belong in this category are sometimes included under this term, typically mentioned in the context of data backup measures.
Measures related to availability ensure that information is accessible when and where it is legitimately needed. This involves not only describing redundancies but also addressing how protection measures against environmental hazards or deliberate damage are implemented. The absence of single points of failure must be acknowledged, and considerations regarding available bandwidths are also important. The view should encompass not only the server room and electrical systems but also the systems and network components that employees require for their work.
Resilience: building system robustness
Resilience, an often overlooked area, pertains to the tolerance or resistance of systems and applications against disruptions and irregularities. This includes statements about system hardening and ongoing monitoring. Additionally, automatic load distribution, scalability options during operation, or the shutdown and isolation of unstable systems are key considerations.
Recoverability: swift data restoration
Recoverability aims to swiftly restore impaired availability and data access. This involves data backup and the possibility of restoration. Additionally, it may include rebuilding individual systems or even complete system landscapes in extreme cases. Additional safeguards may include standby or backup systems, or even entire data centres.
Procedures for verification and evaluation
The final measure outlined in Art. 32 UK GDPR often receives attention, though not always the correct kind. What’s needed here are internal audits and ongoing, appropriate self-monitoring. Whether a data protection officer has been appointed or whether there are data processing agreements or confidentiality obligations is irrelevant on its own. What matters is how the effectiveness of technical and organisational measures is continuously measured and ensured.
Appropriateness and proportionality of the measures
In practice, there are situations where the perceived lack of appropriateness or the perceived disproportionality is used as a justification to avoid implementing measures deemed particularly complex or expensive. This understanding is flawed. The decisive factor is not the effort or cost associated with a data security measure, but how effectively it addresses the relevant risk.
Conclusion: technical and organisational measures are the foundation of data protection
Understanding and correctly implementing the technical and organisational measures outlined in Art. 32 UK GDPR is fundamental to ensuring data protection. Each measure plays a crucial role in safeguarding personal data from unauthorized access, alterations, and disruptions.
By comprehensively addressing these measures, organisations can establish a robust framework for data security, meeting the requirements of the UK GDPR and ensuring the privacy rights of individuals are upheld.