Risk assessment in GDPR – right or wrong measures?
When we were advising organizations on how to bring their businesses into compliance with the GDPR, that is, Serbian Personal Data Protection Law, we often received responses indicating that organizations were applying “security best practices.” some information “. What does this formulation mean?
To our knowledge, such wording often represents an excuse for non-compliance with the GDPR. Controllers and contractors should carry out an information security risk assessment and assess the risks of business activities (processing activities) to personal data (assess the security of processing personal data) in order to be able to respond to the risks to personal data and risks to the rights and freedoms of data subjects, i.e. applying adequate technical, organizational and legal measures to mitigate the identified risks to an acceptable level.
Those familiar with the application of information security, the Data Protection Directive and the GDPR understand that information security is the predecessor and the cornerstone of personal data protection. The security of information systems is an integral part of GDPR compliance because information security systems are essential means for the processing of personal data.
To protect confidential business information, the efforts of the business community and information security experts have resulted in the adoption and implementation of information security standards. Organizations that had and still have a business interest in protecting confidential business information could and still can apply the requirements set out in information security standards to secure their information systems. The efforts of these organizations are expected to result in certification with information security standards, such as ISO / IEC 27001 – Information Security Management Standard (ISMS) from 2013. The key issue in the certification process is that an independent accredited body verifies the state of the art of the information security system. and approves the security measures in practice. Certification means that any organization and its business partners can rely on such a certificate and be confident about the level of information security.
However, organizations do not need to have an ISMS certificate to adequately protect their information security systems. The prerequisites for adequate protection of information security are that an information security risk assessment based on an adequate risk assessment methodology is carried out and that adequate measures commensurate with that risk assessment. are implemented. We have advised organizations to apply the methodology defined in ISO / IEC 27005: 2018.
When we first started receiving information from the organization that it uses “security best practices” to protect its security information system, we were a little confused. We were confused with the meaning of such wording and how “security best practices” can be applied to specific business environments where information security risks vary in each case. To cope with a specific level of information security, organizations must apply an acceptable risk reporting methodology, and what information security measures commensurate with the assessed risks must be applied. Without information, security risk assessment, no “best security practice” can be verified in practice. When we started to analyze the state of the art of information security within organizations, we came to the conclusion that everyone “follows security best practices”. We felt that organizations were “hiding” information security measures, practices and possible security loopholes due to the competitive market. However, the GDPR significantly changes this practice and requires the organization to report data breaches to the supervisory authority. Most organizations have information security policies, but have never formally assessed information security risks. Using “security best practices” without assessing information security risks is the same as when organizations use “know-how” that does not match their actual needs. For example, when an organization applies technical measures, such as firewalls, computer and network scanners, IDS / IPS systems, real-time log file scanners, real system vulnerability scanners and the like, these measures may be unnecessarily overpriced and not relevant to reality. information risks. In addition, organizational, operational and personal measures can be just as effective but much cheaper than technical measures.
On the other hand, with the rapid development of information technology and the processing of personal data, the main stakeholders in Europe have come to the conclusion that the WSIS does not sufficiently address the protection of personal data (mainly deals with business data information) and therefore adopted the GDPR. For example, ISMS has nothing to do with processing personal data or profiling or monitoring the behavior of data subjects. The crucial difference is that ISMS helps organizations implement a system to protect information security, while GDPR focuses on how to use the information security system to protect personal data.
This concept is summarized in article 24 of the GDPR:
“Take into account:
i) the nature, scope, context and purposes of the processing;
ii) risks of varying probability and severity for the rights and freedoms of individuals
the controller implements the appropriate technical and organizational measures to guarantee and be able to demonstrate that the processing is carried out in accordance with this Regulation.
These measures are reviewed and updated as necessary.
When proportionate to the processing activities, the measures include the implementation of appropriate data protection policies by the controller.
In addition, when they require data controllers and processors to ensure processing security, which means not only the security of the information itself, but the security of any form of processing of personal data, i.e. how the information security system is used to process personal data, GDPR defines that, when assessing the appropriate level of safety, particular account must be taken of the risks that are presented by the processing, in particular against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
These provisions should be interpreted as follows:
In addition to assessing information security risks, supervisors must take into account additional sources of risk for personal data (in the GDPR: not only information security risks, but, in addition, the security of the processing of personal data):
i) Nature of processing – whether automated, semi-automated or manual. Automated processing or profiling can lead to high risks for the rights and freedoms of natural persons, such as discrimination;
ii) Scope of processing, i.e. whether personal data is processed on a large scale or not;
iii) Processing context, i.e. context of an organization that processes personal data, for example, the risk is greater in an organization that sells goods online than in those that only produce food for animals;
iv) The purposes of the processing, which means that different purposes of the processing may entail risks of different level for personal data;
v) The organization should assess the “risk of varying likelihood and severity to the rights and freedoms of individuals”, i.e. the likelihood and severity of the impact of the risk (breach of confidentiality, integrity and availability of personal data) multiplied by the likelihood and severity of the risk occurring (from four main business areas: information technology, transformation activities, people involved in transformation and the production sector itself). In addition, organizations should assess how violation of the confidentiality, integrity and availability of personal data may affect the rights and freedoms of data subjects.
For the risk assessment for personal data (processing security), we apply the same risk assessment methodology as for the information security risk assessment, but with a focus on the security of the processing.
i) Nature of processing: automated processing or profiling of customer personal data in part of the processing;
ii) Organizational context: a bank;
iii) Scope of transformation: one of the major players in the market;
iv) Purpose of processing: to take decisions on loan granting applications.
v) Whether the violation of the confidentiality, integrity and availability of customers’ personal data is low, medium, high or very high and how these violations may affect the rights and freedoms of data subjects.
Based on the risks identified in the two risk assessments (information security risk assessment and processing security risk assessment), we recommend and support organizations to implement organizational, technical and adequate legal framework to mitigate the identified risks to an acceptable level.
Only when organizations implement adequate organizational and technical measures commensurate with the assessed risks, can they say they are GDPR compliant.