Security and GDPR

1. Security and GDPR

Welcome!

2. Security aspects of GDPR

Securing personal data is one of the critical requirements of GDPR. In this chapter, we'll learn about the integrity and confidentiality principles of GDPR that require various organizational and technical measures to ensure personal data security, the privacy risks they need to be aware of, and the concepts of privacy by design approach and new privacy-enhancing technologies.

3. Integrity and confidentiality

The integrity and confidentiality principle stated in Article 5 of GDPR requires appropriate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures. Loss or disclosure of personal data could cause harm to both the safety and rights of individuals. Examples of these undesirable events include identity theft, intimidation, and threats to political activists if their data is compromised. Let's begin to examine the organizational measures.

4. Organizational measures

For starters, organizational measures are wide-ranging procedural and policy measures to create the right culture and awareness regarding data protection. Organizations must provide relevant training and skills development opportunities for their employees and management. These measures include drafting and implementing an organizational policy and data protection statements. Remember the employee that sent an email with email addresses in cc rather than bcc. Good organizational policy, as well as employee training, would've prevented it. Organizations should also define the roles and responsibilities related to GDPR obligations and clearly communicate accountability obligations. To determine the suitable measures to ensure data security, organizations must perform risk assessments on possible risks based on their size, amount, and type of data and the nature and objective of processing. For projects or processing situations that pose a high risk, they may have to conduct a Data Protection Impact Assessment or DPIA.

5. Data protection impact assessment (DPIA)

Data protection impact assessments, or DPIAs for short, are mandatory for data processing activities considered high risk. By risk, GDPR means any adverse consequence for individuals' rights and safety. The DPIA should cover the scope, context, nature, and purpose of processing. It should assess the risks and benefits based on the proportionality tenet of GDPR. Organizations should propose technical and organizational mitigation measures and have to consider residual risks after mitigation. Even for low-risk processes, a DPIA is a useful instrument and is considered a good GDPR practice.

6. DPIA criteria

So how to we know when to conduct a DPIA. The first step is to understand whether you are dealing with a high risk situation or not. High risk situations include scoring and evaluation based on personal data analysis, automated decision making, systematic monitoring like tracking location data, processing sensitive data like biometric or healthcare data, large scale data processing, combining different datasets with personal information, processing data of vulnerable data subjects, the use of new technologies that may require personal data processing and data transfers outside the EU to countries without adequacy decisions. Let us look into two example scenarios in detail where DPIAs are mandatory.

7. DPIA use cases

A police force of an EU country wants to set up a smart surveillance system in train stations. This system would combine the camera images of passengers with the biometric data from the id card database and other police databases to identify individuals accurately. In this case, a DPIA is essential because of the data's sensitive nature, combining of datasets and tracking individuals. A European supermarket chain sets up a targeted advertising system in their stores with a smart camera system integrated into a screen displaying advertisements. The system captures when and how long a person looks at an ad, their age, gender, clothing choices, and emotional state from their facial expressions. The supermarket does targeted product advertising based on this data. While the risks are lower than in example 1, a DPIA would be necessary since it could be considered as tracking individuals.

8. Let's practice!

We've learned about organizational measures, including risk assessments, to ensure data security. In the following video, we'll look into the technical measures. Before you go, let's test your newly acquired knowledge.

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.