Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



How to ensure ’adequate security’ in data protection

June 2022 by Robert Wassall, Director of Legal Services, NormCyber

In both UK and EU law, under data protection law, businesses are required to put in place ‘adequate technical and organisational measures’ to protect personal information. In the four years since GDPR came into effect, four things have become clear:

1. People expect their personal information (data) to be adequately protected
2. Non-compliance with data protection law is costly and damaging to a brand’s reputation
3. There are still many instances where businesses fail to put in place adequate security – but mistakenly believe that they have done so
4. Being unsure of the rules is no excuse in the eyes of the Information Commissioner (ICO).

In many cases, the failure to put into place adequate security measures stems from businesses placing data protection responsibilities exclusively onto their IT team – under the false assumption that ‘security’ means taking only technical security measures, especially preventative ones like encryption and software patching.

However, data protection law compliance requires more than just technical safeguards, and simply saying “we have water-tight IT security and adhere to the ISO27001 standard”, when it comes to compliance, (and effective, all-round security) won’t cut it.

Specifically, the GDPR states that both technical and organisational measures must be implemented. Those in IT roles have a multitude of responsibilities with a specific focus on technology, not organisational security measures, and for this reason, are not in the best position to deliver on data protection compliance requirements. In addition, they shouldn’t even be permitted to do so. What most businesses need is oversight by someone who understands the ‘rules’ of data protection law, who is not exclusively focused on technical security, and who is able to provide advice and act with an independent mind, i.e., without any actual or perceived conflict of interest arising.

Learn from the mistakes of others

We don’t have to look far to find examples of what happens when companies fail to adequately implement both technical and organisational measures for data protection. In the Republic of Ireland, the Teaching Council recently fell foul of the EU GDPR, when its IT security team failed to identify a successful phishing attack as something that should be treated as a personal data breach and notified to the Irish supervisory authority. This was because the incident was classified as ‘low severity’. Ultimately, it should not have been up to the organisation’s IT team to make this decision, and the lack of understanding about data protection law led to a fine of €60,000. The UK government’s intended data protection law reforms will not change this. In fact, although these provide greater flexibility to organisations to find the most effective and proportionate means of meeting its compliance obligations, the outcomes remain the same – meaning that expert guidance has never been more important.
So, with the spirit of the law not going anywhere, what can organisations do to stay compliant?

Technical measures

There are a number of technical measures which companies can take to protect data, both physical and IT-based. These include:
• Ensuring adequate physical security (locks on doors, alarm systems, security lighting and CCTV on premises) and access controls/supervision of visitors
• Clear procedures for disposal of electronic/paper waste and of IT devices
• System security protection, ensuring information systems are secure when processing personal data
• Putting in place appropriate access controls and hosting data securely at rest as well as when in transit
• Maintaining a secure website
• Conducting regular testing and reviews of the measures deployed to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.

Such measures sound like a checklist of necessities to tick off in isolation, but the specific actions businesses need to take – such as software patching, threat detection, multi-factor authentication and encryption – will vary depending on the volume and nature of the data held by the organisation. Simply put, the sophistication of technical measures must match that of the level of risk posed to individuals’ data.

What’s more, when an organisation gets to this point and assumes the job is done, it’s actually only 50 percent of the way through. Even if technical measures are followed to their fullest extent, a flawed organisational model could still allow breaches to occur. And this is the key point: organisational measures must be implemented in tandem with technical measures in order to ensure adequate data security.

Organisational measures

Similarly to technical measures, there is no specific checklist of what constitutes adequate organisational measures. They refer to a vast array of policies, processes and procedures available to businesses, which should be assessed and enforced as the business and its needs evolve. This, too, must be understood on a scale. For example, providing staff with regular cyber awareness training is a standard preventative measure every organisation should do. At the same time, there will be cases where the Data Protection Officer (DPO) will need an intricate understanding of an organisation’s contractual agreements with third parties and their implications for individuals’ data security. Adequate organisational measures must also be in place in the unfortunate event of a data breach, especially when sensitive information relating to finances or health was accessed.

Where we see a lot of businesses falter is looking at data protection through the lens of the business burden and treating it purely as a ‘compliance issue’ – rather than also approaching it from the point of view of the individuals whose data may be jeopardised.

The reality is that, when it comes to data protection compliance, an IT manager is not the best-placed person to have sole responsibility to decide what security measures should be put in place. Businesses also need to have access to someone with suitable expertise, someone with knowledge and understanding of data protection law. Someone who can deal with the ICO and complainants in the event of a data breach. Someone whose responsibilities aren’t exclusively technical but someone who has a wider oversight of the business operations as a whole. Data protection is not a simple ‘compliance issue’ – do it because it makes sense We’ve seen that misunderstanding what ‘adequate’ security means in the eyes of the regulator can result in fines, but there is more to consider here. In the age where employees and consumers expect that their data is protected and good data protection has become ‘common sense’ – as well as a compliance issue - those who fail to understand this will lose more than just money: namely, customers, partners, and reputation.

Only when data protection is treated as distinct from a problem for the technical department to resolve, can a business properly approach data security and treat it as something that should be done – by a combination of both technical and organisational security measures – and not something simply done because there are rules to be followed.

Think of it in these terms: if the use of seatbelts was made optional someday in the future, there’s a good chance most people would still opt to use them, because it’s plain common sense to have some form of protection when on the road. The same should apply to any organisation with regards to data protection – so get your house in order today!

See previous articles


See next articles