Do you know the GDPR information security requirements? In this section you will find about the level of security, controls, risk assessments and personal data breaches.
GDPR information security principle
The principle of information security requires that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
This principle, which is set out by Article 5.1.f, it is further developed by Article 32 of the GDPR, which sets forth the information security requirements that you need to consider when selecting the appropriate technical and organisational measures. These are:
- the state of the art,
- the costs of implementation,
- the nature, scope, context and purposes of processing, and
- the risk of varying likelihood and severity for the rights and freedoms of natural persons.
However, prior to selecting any security measure, you need to determine which level of security is required by your organisation.
What level of information security requires the GDPR
Following the practice of the information security industry, the Article 32.3 of the GDPR establishes that, to determine the level of security, you shall take specially into account the risks resulting from the processing to the confidentiality, integrity and availability of the information:
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
This means that you need to implement a framework to manage information security risks within your organisation.
How to conduct an information security risk assessment
As defined by ISACA, risk management is “the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization”.
There are several ways of managing risks within an organisation and you should consider one or another depending on your specific needs, data processings and budget. Some of the best frameworks are ISO/IEC 27001/2013, which covers information security, and ISO/IEC 31000/2018, which covers risks assessments.
ISO 27001 is an information security management system based on the Deming cycle (plan-do-check-act) and it can be certified. This framework is specially useful to comply with the GDPR because both the Regulation and ISO 27001 are focused on assessing risks.
According to ISO 27001, to assess risks you need to:
- identify information assets (personnel, premises, hardware, software … ), threats to which assets are exposed and their vulnerabilities;
- calculate the likelihood of a threat exploiting a vulnerability to compromise information confidentiality, integrity and availability;
- evaluate the impact the materialisation of a threat would have to confidentiality, integrity and availability;
- estimate risk level, combining likelihood and impact;
- assign risk owners for every asset; and
- define risk appetite.
The next step is to draft the risk treatment plan, which is a document where you explain which risks are going to be treated, their level, actions proposed, the person in charge to implement controls, resources that will be needed and the time it will take. The risk can be treated in one or several of the following manners:
- avoiding the risk
- Reducing the risk level
- transferring the risk, and
- accepting the risk.
If you decide to not accept a risk, then you should select the appropriate security measures to avoid, reduce or transfer that risk. Once a risk has been treated, there is always a remaining risk which is called residual risk, which should be lower. The residual risk also needs to be evaluated and treated.
This is, on a high level, the methodology for evaluating and planifying risks on ISO 27001, even though some requirements have been omitted and they should be taken into consideration if you are considering taking the certification. However, to comply with the GDPR information security requirements certification is not required and therefore, you do not need to implement the whole ISO 27001.
What GDPR requires from you is an assessment of the risks for confidentiality, integrity and availability of information and the implementation of the appropriate security measures to protect the information.
How to select the appropriate gdpr information security controls
The GDPR states that you need to implement “appropriate technical and organisational measures”. For that purpose, to satisfy the GDPR information security requirements you will need to consider all relevant facts regarding the context of your organisation, such as the location, IT equipments, suppliers and clients, range and education of employees, their access to resources and data processing activities.
All of the above facts must be taken into account when assessing the risks for information, and they should be the main element to consider when selecting the appropriate security controls. However, remember that you should also take into account:
- the state of the art,
- the costs of implementation,
- the nature, scope, context and purposes of processing, and
- the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Good practices in information security rarely make it to a law. This is because they are in constant change to contest new threats and vulnerabilities. These are, instead, published by InfoSec industry organisations, such as INCIBE (SPAIN), or NIST (US). For that reason, the GDPR indicates that the state of the art is an element to be considered when selecting controls.
Regarding the gdpr information security requirements which concern the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons, these require you to consider the life cycle of personal data, the measures adopted to ensure compliance of data processing with the gdpr principles and that means to manage data subject rights requests are in place. These are by the way the same items that are evaluated when conducting a data protection impact assessment; you can find further information here.
At last, when selecting controls you also need to take into account costs of implementation.
What security measures to protect personal data should be implemented
Article 32.1 of the GDPR establishes that the security measures should include, inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Furthermore, Article 32.4 sets out an obligation concerning employees and contractors:
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
Whereas it is advisable to take into account the above provisions, implementing these measures may not be appropriate to your case and certainly not enough to meet the gdpr information security requirements. The decision to apply one or other controls depends on the risks to which you information is exposed and, to become aware of these risks you need to carry out a risk assessment.
You should implement the organisational and technical measures appropriate to reduce the risk level of those information assets that present a level of risk higher than the risk appetite.
Finally, whereas the GDPR does not include a list of the controls that you need to apply, good practice would be taking guidance from Annex A of ISO 27001 together with the guidelines to implement these controls set forth by ISO/IEC 27002:2013.
ISO 27001 controls
ISO 27001 Annex A is structured in 14 clauses and each clause defines the objectives and controls for information security. Certification in ISO 27001 requires implementing all 114 controls, except those that are not applicable to your organisation. However, bear in mind that to meet the gdpr information security requirements you do not need to certify any ISMS and it is sufficient to implement the controls which are appropriate to reduce risks to confidentiality, integrity and availability to acceptable levels.
Therefore, depending on the necessities of your organisation, you may select amongst the following controls:
Information security policies
ISO 27001 requires organisations to implement a variety of policies. At the highest level, organisations should draft an information security policy which is approved by management and which sets out the organisation’s general approach with regards to information security, such as the objectives or a framework to achieve them, commitments to achieve information security requirements and continual improvement.
This higher-level policy needs to be supported by other specific-lower-level policies. ISO requires, at minimum, the following:
- Information security (higher-level policy).
- Access control.
- Information classification.
- Physical and environmental security.
- Acceptable use of assets.
- Clear desk and clear screen.
- Information transfer.
- Mobile devices and teleworking.
- Restrictions on software installations and use.
- Protection from malware.
- Management of technical vulnerabilities.
- Cryptographic controls.
- Communications security.
- Privacy and protection of personally identifiable information
- Supplier relationships.
Policies need to be communicated within the organisation and to relevant external parties and reviewed periodically.
Organisation of information security
This objective is separated into two sections, internal organisation and mobile devices and teleworking. Regarding internal organisation objectives, ISO establishes:
- Information security roles and responsibilities
- Segregation of duties
- Contact with authorities
- Contact with special interest groups
- Information security in project management
As mobile devices objective is concerned, it is necessary to implement a policy and supporting appropriate security measures. These should consider:
- registration of mobile devices;
- requirements for physical protection;
- restriction of software installation;
- requirements for mobile device software versions and applying patches;
- restriction of connection to information services;
- access controls;
- cryptographic techniques;
- malware protection;
- remote disabling, erasure or lockout;
- backups; and
- usage of web services and web apps.
Other controls set forth by ISO 27002 include use of mobile devices in public spaces, physical protection against theft, personnel training and BYOD.
Finally, organisations allowing teleworking should consider, inter alia and not comprehensively:
- existing physical security of the teleworking site;
- the proposed physical teleworking environment;
- the communications security requirements;
- the provision of virtual desktop access that prevents processing and storage of information on privately owned equipment;
- the threat of unauthorised access to information or resources from other persons using the accommodation; or
- malware protection and firewall requirements.
Human resource security
It covers prior to employment, during employment and on termination or change of employment.
Prior to employment, ISO requires definition of procedures for screening candidates, taking into account all revelant privacy, data protection and employment based legislation. Also, consideration should be given to:
- character references;
- a verification of the applicant’s curriculum vitae;
- confirmation of claimed academic and professional qualifications;
- independent verification of the candidate’s identity;
- more detailed verification, such as credit review or review of criminal records.
Furthermore, account should also be taken of terms and conditions of employment, including relevant information security clauses to contracts (NDA, responsibilities and rights, classification of information and management of assets, actions to be taken in the event of misconduct…).
During employment, management should ensure contractors apply information security, employees should receive appropriate awareness education and training and there should be a process to communicate disciplinary processes in place.
On termination or change of employment, the responsibilities and duties that remain valid after termination or change thereof should be defined, communicated and enforced.
In this section, ISO requires consideration of:
- Responsibility for assets. Controls include an inventory of assets, giving ownership of those assets, defining rules for the acceptable use of information and of assets and returning of assets by employees or contractors upon termination of their contract.
- Information classification. Information needs to be classified and labelled and procedures for handling assets should be developed and implemented.
- Media handling. There should be control for the management of removable media, disposal of media and physical media transfer.
Concerning access control, there are measures regarding business requirements of access control, user access management, user responsibilities, and system and application access control.
Concerning the first domain, business requirements of access control, there should be:
- an access control policy, and
- access control to networks and network services.
Regarding user access management, there should be measures in place for:
- user registration and de-registration;
- user access provisioning;
- management of privileged access rights;
- management of secret authentication information of users;
- review of user access rights; and
- removal or adjustment of access rights.
When it comes to user responsibilities, there should be controls about the use of secret authentication information (passwords).
Finally, concerning system and application access control, consideration should be paid to:
- information access restriction;
- secure log-on procedures;
- password management system;
- use of privileged utility programs; and
- access control to program source code.
To ensure proper and effective use of cryptography to protect information, policies on the use of cryptographic controls and key management should be drafted.
Physical and environmental security
Concerning physical and environmental security, ISO 27001 discriminates between secure areas and equipments.
For the establishment of secure areas, the following elements should be defined and/or taken into account:
- physical security perimeter;
- physical entry controls;
- securing offices, rooms and facilities;
- protecting against external and environmental threats;
- working in secure areas; and
- delivery and loading areas.
- equipment siting and protection;
- supporting utilities;
- cabling security;
- equipment maintenance;
- removal of assets;
- security of equipment and assets off-premises;
- secure disposal or reuse of equipment;
- unattended user equipment; and
- clear desk and clear screen policy.
To safeguard information security of operations, the ISMS framework establishes controls concerning: operational procedures and responsibilities; protection from malware; backup; logging and monitoring; control of operational software; technical vulnerability management; and information systems audit considerations.
Regarding operational procedures and responsibilities, the following controls are set forth:
- documented operating procedures;
- change management;
- capacity management; and
- separation of development, testing and operational environment.
Concerning logging and monitoring:
- event logging;
- protection of log information;
- administrator and operator logs; and
- clock synchronisation.
With regard to technical vulnerability management, you may implement controls for:
- management of technical vulnerabilities, and
- restrictions on software installation.
Finally, this section also includes:
- protection against malware;
- backup copies of information, software and system images;
- Implementation of procedures to control the installation of software on operational systems; and
- Planning and approval of audit requirements and activities involving verification of operational systems to minimise disruptions to business processes.
To ensure the protection of information in communications, ISO 27001 establishes controls relating to network security management and information transfer.
To manage network security, controls include:
- network controls;
- security of network services; and
- segregation in networks.
To maintain the security of information transferred within an organisation and with an external entity, there should be:
- information transfer policies and procedures;
- agreements on information transfer;
- protection of information involved in electronic messaging; and
- confidentiality or non-disclosure agreements.
System acquisition, development, and maintenance
This section is divided in three parts which concern: security requirements of information systems; security in development and support processes; and test data.
Regarding security requirements of information systems:
- information security requirements analysis and specification;
- securing application services on public networks; and
- protecting application services transactions.
With regard to security in development and support processes:
- secure development policy;
- system change control procedures;
- technical review of applications after operating platform changes;
- restrictions on changes to software packages;
- secure system engineering principles; and
- secure development environment;
- outsourced development;
- system security testing; and
- system acceptance testing.
Finally, test data should be selected carefully, protected and controlled.
Concerning suppliers, there are two main fields where ISO 27001 framework requires control: information security in supplier relationships, and supplier service delivery management.
Regarding information security in supplier relationships controls consider:
- an information security policy for supplier relationships;
- addressing security within supplier agreements;
- information and communication technology supply chain.
Concerning supplier service delivery management:
- monitoring and review of supplier services; and
- managing changes to supplier services.
Information security incident management
This section includes controls for the management of information security incidents and improvements. These concern:
- responsibilities and procedures;
- reporting information security events;
- reporting information security weaknesses;
- assessment of and decision on information security events;
- response to information security incidents;
- learning from information security incidents; and
- collection of evidence.
Information security aspects of business continuity management
When it comes to business continuity, ISO distinguishes between two categories: information security continuity, and redundancies.
Concerning information security continuity, controls envisage:
- planning information security continuity;
- implementing information security continuity; and
- to verify, review and evaluate information security continuity.
Regarding redundancies, information processing facilities should be implemented with redundancy sufficient to meet availability requirements.
This section is separated into two categories. The first category is about compliance with legal and contractual requirements; the second relates to information security reviews.
Controls regarding compliance with legal and contractual requirements deal with:
- identification of applicable legislation and contractual requirements;
- intellectual property rights;
- protection of records;
- privacy and protection of personally identifiable information; and
- regulation of cryptographic controls.
With regard to information security reviews, ISO establishes the following controls:
- independent review of information security;
- compliance with security policies and standards; and
- technical compliance review.
REMEMBER: All the controls mentioned above are listed by ISO 27001 and they need to be considered when obtaining the certification. However, to comply with the GDPR information security requirements you do not need to implement all these controls, nor obtaining any certification. You just need to deploy appropriate measures to treat those risks which you decided not to accept.
Pseudonymisation and anonymisation
Pseudonymisation and anonymisation are techniques which aim to stripp personally identifiable information from data. When the process is irreversible, these data are no longer personal data and are instead anonymised data. Conversely, when the process is reversible then the data has been pseudonymised, thus remaining personal data.
Reporting of GDPR data breaches
A personal data breach is defined by Article 4.12 as:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
When any of these events occur, you need to record it, including the facts, consequences and corrective actions, and to assess the necessity of reporting the personal data breach to competent supervisory authorities and data subjects.
Report of gdpr information security incidents to data subjects
In addition to reporting to the data protection authority, the gdpr also requires giving notice of personal data security incidents to natural persons when the breach is likely to result in a high risk to their rights and freedoms.
This communication should describe in clear and plain language the nature of the personal data breach and contain at least the following information:
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
On the contrary, you are not required to communicate gdpr information security incidents to data subjects when any of the following conditions occur:
- you have implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- you have taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
- it would involve disproportionate effort. In such a case, you should instead issue a public communication or a similar measure whereby data subjects are informed in an equally effective manner.
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- ISO/IEC 27001:2013
- ISO/IEC 27002:2013