The controller and the processor shall ensure the security of the personal data they process by implementing appropriate organisational and technical measures.
The implemented data protection measures should be proportionate to the level of risk associated with the processing.
In order to identify data protection measures, a risk analysis of the data to be processed should be carried out. In particular, the analysis should identify the sources and nature of the risks to the data, the level of the risks and the means to mitigate them.
The risk analysis should be documented and updated on a regular basis.
Appropriate security may also be ensured by implementing solutions provided for in recognised codes of practice or certification mechanisms.
The obligation to ensure the security of personal data and who is responsible for it:
The obligation to ensure the security of personal data means the obligation to prevent unauthorised or unlawful processing of personal data and its accidental loss, destruction or damage.
This obligation applies to all controllers and processors of personal data.
Importantly, the wording of this obligation does not mean that the controller or the processor will be liable in every case of a data security breach. If such a breach occurs, they may be held liable if it is found that the data protection measures they applied were inappropriate. A breach may occur despite the application of appropriate data protection measures.
How to ensure data security:
The security of personal data required by the GDPR must be ensured by implementing appropriateorganisational and technical data protection measures.
Organisational and technical data protection measures:
Organisational and technical data protection measures are not defined in the GDPR. In practice, this is a very broad concept. Generally speaking, organisational and technical data protection measures are any actions, activities or solutions implemented or undertaken by the controller or the processor with the intention of ensuring appropriate security of personal data. Such measures may include:
Internal procedures;
Staff training;
Contractual confidentiality provisions;
Physical security solutions (e.g. hiring a security company, CCTV surveillance, lockable doors or armoured cabinets, electronic access control, fire alarms, etc.);
Cyber security solutions (e.g. DLP software, anti-virus software, firewalls, encryption of hard disks or electronic communications);
Other IT solutions, e.g. backups, penetration tests, access passwords, software updates, network connection layout.
Other examples of organisational and technical measures are set out in the GDPR and include:
Pseudonymisation and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures taken to ensure the security of the processing.
How to select ‘appropriate data protection measures’:
Based on the wording of the PUODO (Polish Office for the Protection of Personal Information) Decision, it appears that PUODO expects controllers and processors to carry out a so-called risk analysis, which will lead to the selection of appropriate personal data protection measures. These measures are to be chosen taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of the processing as well as the risk of violation of the rights and freedoms of natural persons with varying degrees of probability and seriousness.
In this regard, we would like to quote extracts from PUODO Decision No. DKN.5131.47.2022 of 18 July 2023, in which PUODO provided a number of relevant opinions on the implementation of data protection obligations and stated, inter alia, that:
For the proper implementation of the obligations under the aforementioned provisions of Regulation 2016/679, the controller should first carry out a risk analysis and, based on it, identify and implement appropriate security measures for the processing of personal data.
(...) The identification of appropriate technical and organisational measures is a two-step process. First, it is necessary to determine the level of risk associated with the processing of personal data, taking into account the criteria set out in Article 32(1) of Regulation 2016/679, and then to determine which technical and organisational measures are appropriate to ensure a level of security commensurate with that risk. (...) According to Article 32(2) of Regulation 2016/679, when assessing the adequacy of the level of security, the controller shall take into account in particular the risks associated with the processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
One of the legal foundations for the protection of personal data introduced by Regulation 2016/679 is the obligation to ensure the security of processed data, as set out, inter alia, in Article 32(1) of Regulation 2016/679. This provision introduces a risk-based approach, specifying the criteria on the basis of which the controller should select appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Thus, in addition to the risk of violating the rights and freedoms of natural persons, the controller should take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing.
Regulation 2016/679 introduces an approach in which risk management is the cornerstone of personal data protection activities and is an ongoing process. Personal data processors are obliged not only to ensure compliance with the guidelines of the aforementioned Regulation by implementing organisational and technical security measures on a one-off basis, but also to ensure continuous monitoring of the risk level and to ensure accountability regarding the level and adequacy of the safeguards put in place. This means that it becomes a necessity to be able to prove before the supervisory authority that the introduced solutions aimed at ensuring personal data security are appropriate to the level of risk, as well as take into account the nature of a given institution or undertaking and the personal data processing mechanisms applied. The controller is expected to carry out on his/her own a detailed analysis of the data processing operations carried out and to make a risk assessment, and then to apply measures and procedures that are appropriate to the estimated risk. The consequence of such a course is to abandon lists of security requirements imposed by the legislator in favour of an independent selection of security measures based on a risk analysis. No specific security measures and procedures are addressed to administrators.
One of the methods of conducting a risk analysis is to define the level of risk as the product of the probability and impact of an incident. A risk matrix is typically used to illustrate the risk levels in a visual way, showing the risk levels for which the institution or undertaking defines appropriate responses.
In order for the risk analysis to be performed correctly, the risks that may occur in data processing operations should be defined for each asset.
It should also be emphasised that the consideration of the likelihood of an event occurring should not be based solely on the frequency of events occurring in the institution or undertaking, as the fact that an event has not occurred in the past does not mean that it cannot occur in the future.
Recognised security standards, such as ISO 27701, can be useful in conducting a risk analysis to determine appropriate data protection measures.
The role of risk analysis in the process of determining “appropriate data protection measures” in the context of GDPR compliance:
From a practical point of view, the risk analysis should provide a justification as to why the controller has implemented certain data protection measures in his/her institution or undertaking and why he/she considers them to be “appropriate” within the meaning of GDPR Article 32. The analysis should be quite detailed and cover all data processing operations carried out in the institution or undertaking.
In practice, carrying out a risk analysis is a relatively difficult and labour-intensive task that requires the involvement of people from different areas of the institution or undertaking, including security, legal or IT.
Documenting a risk analysis:
In line with the principle of accountability, the conduct of a risk analysis should be documented. This ensures that the controller and the processor will be able to demonstrate (e.g. in the event of an audit by a supervisory authority) that their data protection measures are proportionate to the level of risk of violation of the rights and freedoms of natural persons in relation to the processing of personal data.
Failure to document the risk analysis may expose the controller and the processor to allegations of breaches of the GDPR. For example, such allegations have been made by PUODO in the following cases:
in order to be able to demonstrate compliance with this regulation, the controller should adopt internal policies and implement measures that, in particular, comply with the principle of data protection by design and data protection by default.
From a practical point of view, the cited provision triggers, among other things, the need for the controller and the processor to develop and implement internal data processing policies that address their employees and impose obligations on employees to ensure the processing of personal data in compliance with the Regulation.
The GDPR does not specify what the content of such policies should be. It appears that, as with other data protection measures, the content of the policies should be designed taking into account, in particular, the nature, scope, context and purpose of the processing carried out by the institution or undertaking, as well as the risk of violation of the rights and freedoms of natural persons with varying degrees of probability and seriousness.
PUODO’s guidelines, contained in an article published by PUODO entitled 'GDPR-compliant documentation of personal data processing', may prove helpful in developing such policies. These guidelines outline the types of issues that PUODO believes should be addressed in such internal documents, and how.
Who is responsible for selecting and implementing data protection measures:
The GDPR does not explicitly define who within an institution or undertaking is responsible for implementing appropriate data protection measures. In light of the principle of accountability and in order to increase the efficiency of the implementation of data protection measures, it is advisable for the controller and the processor to designate specific persons (positions) within the institution or undertaking who will be responsible for the selection and implementation of data protection measures within the institution or undertaking as a whole or within its specific departments. Due to the potential conflict of interest, this person should not be the data protection officer.
Updating the risk analysis and data protection measures
In order for the risk analysis to fulfil its role and for the controller to be able to claim that he/she is acting in accordance with the requirements of GDPR Article 32, the risk analysis should be updated when changes occur that are relevant to its findings, such as in the case of:
Regulatory changes;
Changes in the factual circumstances of the processing - e.g. implementation of new processing operations or changes to the existing ones, changes in the technical solutions used for data processing (e.g. implementation of new IT solutions);
Identification of new threats.
In addition, it is necessary to continuously review the effectiveness of the implemented measures and to identify any need for changes.
If the updated risk analysis shows that the data protection measures implemented so far need to be changed or new solutions need to be implemented, the controller and the processor should make the appropriate changes or implement such new solutions.
As stated in PUODO Decision No. DKN.5131.47.2022 of 18 July 2023,
new threats may also arise or be identified spontaneously, in a manner completely independent of the controller, and this fact should also be taken into account both when designing a personal data protection system and when implementing it. This, in turn, defines the need to periodically review the entire personal data protection system, both in terms of the adequacy and effectiveness of the organisational and technical solutions implemented, in the context of a risk analysis carried out, as well as to periodically test, measure and evaluate the effectiveness of the technical and organisational measures taken to ensure the security of the processing.
Data protection impact assessment versus risk analysis:
The risk analysis referred to above is, in principle, a different exercise from the data protection impact assessment referred to in GDPR Article 35(1). Where a particular data processing operation meets the criteria set out in GDPR Article 35(1), a data protection impact assessment should be carried out for that operation, in addition to and independently of the risk analysis. This does not exclude a situation where the two activities are actually carried out together and, for example, are covered by a single document (provided that this document fulfils the role of the risk analysis and the requirements set out in GDPR Article 35).
Ensuring data security through the use of an approved code of conduct or an approved certification mechanism
If a specific processing of personal data is covered by a so-called code of conduct (see commentary on GDPR Article 40) approved by a supervisory authority or a certification mechanism (see commentary on GDPR Article 42), the controller or the processor may implement such arrangements within his/her institution or undertaking, for example by adopting a given code of conduct and organising the processing of data in accordance with the requirements and conditions described in such code.
If the controller or the processor complies with the requirements and conditions of the processing described in such a code (in particular with regard to the data protection measures provided for in the code), he/she may claim that the data protection measures he/she has implemented comply with the requirements of GRPR Article 32 (without having to carry out a risk analysis in this respect, unless the code itself provides for its implementation).
Commentary to art. 32
Security of processing
The obligation to ensure the security of personal data and who is responsible for it:
The obligation to ensure the security of personal data means the obligation to prevent unauthorised or unlawful processing of personal data and its accidental loss, destruction or damage.
This obligation applies to all controllers and processors of personal data.
Importantly, the wording of this obligation does not mean that the controller or the processor will be liable in every case of a data security breach. If such a breach occurs, they may be held liable if it is found that the data protection measures they applied were inappropriate. A breach may occur despite the application of appropriate data protection measures.
How to ensure data security:
The security of personal data required by the GDPR must be ensured by implementing appropriate organisational and technical data protection measures.
Organisational and technical data protection measures:
Organisational and technical data protection measures are not defined in the GDPR. In practice, this is a very broad concept. Generally speaking, organisational and technical data protection measures are any actions, activities or solutions implemented or undertaken by the controller or the processor with the intention of ensuring appropriate security of personal data. Such measures may include:
Other examples of organisational and technical measures are set out in the GDPR and include:
How to select ‘appropriate data protection measures’:
Based on the wording of the PUODO (Polish Office for the Protection of Personal Information) Decision, it appears that PUODO expects controllers and processors to carry out a so-called risk analysis, which will lead to the selection of appropriate personal data protection measures. These measures are to be chosen taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of the processing as well as the risk of violation of the rights and freedoms of natural persons with varying degrees of probability and seriousness.
In this regard, we would like to quote extracts from PUODO Decision No. DKN.5131.47.2022 of 18 July 2023, in which PUODO provided a number of relevant opinions on the implementation of data protection obligations and stated, inter alia, that:
Recognised security standards, such as ISO 27701, can be useful in conducting a risk analysis to determine appropriate data protection measures.
Advice on risk analysis can be found in the guides produced by PUODO.
The role of risk analysis in the process of determining “appropriate data protection measures” in the context of GDPR compliance:
From a practical point of view, the risk analysis should provide a justification as to why the controller has implemented certain data protection measures in his/her institution or undertaking and why he/she considers them to be “appropriate” within the meaning of GDPR Article 32. The analysis should be quite detailed and cover all data processing operations carried out in the institution or undertaking.
In practice, carrying out a risk analysis is a relatively difficult and labour-intensive task that requires the involvement of people from different areas of the institution or undertaking, including security, legal or IT.
Documenting a risk analysis:
In line with the principle of accountability, the conduct of a risk analysis should be documented. This ensures that the controller and the processor will be able to demonstrate (e.g. in the event of an audit by a supervisory authority) that their data protection measures are proportionate to the level of risk of violation of the rights and freedoms of natural persons in relation to the processing of personal data.
Failure to document the risk analysis may expose the controller and the processor to allegations of breaches of the GDPR. For example, such allegations have been made by PUODO in the following cases:
https://uodo.gov.pl/decyzje/DKN.5131.8.2021
https://uodo.gov.pl/decyzje/DKN.5131.47.2022
Internal policies for processing personal data:
According to the GDPR,
From a practical point of view, the cited provision triggers, among other things, the need for the controller and the processor to develop and implement internal data processing policies that address their employees and impose obligations on employees to ensure the processing of personal data in compliance with the Regulation.
The GDPR does not specify what the content of such policies should be. It appears that, as with other data protection measures, the content of the policies should be designed taking into account, in particular, the nature, scope, context and purpose of the processing carried out by the institution or undertaking, as well as the risk of violation of the rights and freedoms of natural persons with varying degrees of probability and seriousness.
PUODO’s guidelines, contained in an article published by PUODO entitled 'GDPR-compliant documentation of personal data processing', may prove helpful in developing such policies. These guidelines outline the types of issues that PUODO believes should be addressed in such internal documents, and how.
Who is responsible for selecting and implementing data protection measures:
The GDPR does not explicitly define who within an institution or undertaking is responsible for implementing appropriate data protection measures. In light of the principle of accountability and in order to increase the efficiency of the implementation of data protection measures, it is advisable for the controller and the processor to designate specific persons (positions) within the institution or undertaking who will be responsible for the selection and implementation of data protection measures within the institution or undertaking as a whole or within its specific departments. Due to the potential conflict of interest, this person should not be the data protection officer.
Updating the risk analysis and data protection measures
In order for the risk analysis to fulfil its role and for the controller to be able to claim that he/she is acting in accordance with the requirements of GDPR Article 32, the risk analysis should be updated when changes occur that are relevant to its findings, such as in the case of:
In addition, it is necessary to continuously review the effectiveness of the implemented measures and to identify any need for changes.
If the updated risk analysis shows that the data protection measures implemented so far need to be changed or new solutions need to be implemented, the controller and the processor should make the appropriate changes or implement such new solutions.
As stated in PUODO Decision No. DKN.5131.47.2022 of 18 July 2023,
Data protection impact assessment versus risk analysis:
The risk analysis referred to above is, in principle, a different exercise from the data protection impact assessment referred to in GDPR Article 35(1). Where a particular data processing operation meets the criteria set out in GDPR Article 35(1), a data protection impact assessment should be carried out for that operation, in addition to and independently of the risk analysis. This does not exclude a situation where the two activities are actually carried out together and, for example, are covered by a single document (provided that this document fulfils the role of the risk analysis and the requirements set out in GDPR Article 35).
Ensuring data security through the use of an approved code of conduct or an approved certification mechanism
If a specific processing of personal data is covered by a so-called code of conduct (see commentary on GDPR Article 40) approved by a supervisory authority or a certification mechanism (see commentary on GDPR Article 42), the controller or the processor may implement such arrangements within his/her institution or undertaking, for example by adopting a given code of conduct and organising the processing of data in accordance with the requirements and conditions described in such code.
If the controller or the processor complies with the requirements and conditions of the processing described in such a code (in particular with regard to the data protection measures provided for in the code), he/she may claim that the data protection measures he/she has implemented comply with the requirements of GRPR Article 32 (without having to carry out a risk analysis in this respect, unless the code itself provides for its implementation).