How will the GDPR change the approach to security?


How will the GDPR change the approach to security?

Security and data breaches today

According to a study by more than 5 million data records are stolen everyday with a total of 9 billion data records breached since 2013. Out of all of them only 4% were “secure breaches” with encryption used and stolen data considered useless. It is a worrying number that makes it easy to understand why there such a great need to increase awareness to the need for more security. The reality is no one is safe.

Examples in this sense include the recent WannaCry issues, that affected hundreds of organizations. But malware and viruses are not the only ones responsible for breaches. Take for instance human errors like identity theft that took place at the National Health Services (NHS) in March 2017. In this breach, 26 millions of records were affected, all due to negligence. Doctors not aware of the potential consequences turned on “enhanced data sharing” so that records could be seen by local hospitals. The incident, reported by The Telegraph, was one with potential “devastating” consequences.

Many more such examples can be given and the conclusion is more or less the same: nowadays, data breaches are almost inevitable. What you can do is protect the data records, secure all your data, do not go around thinking a data breach will not happen to you.

The GDPR’s requirements for security

If you’re expecting to find within the GDPR the exact methods you have to use for security, you’re wrong. Article 32 states:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.

Among the recommended security methods are encryption, pseudonymization, anonymization and more. You can read more on these methods in our knowledge base article “Encryption vs Tokenization“. Another clear recommendation is security by design and by default. In addition to the methods named previously, an important and often overlooked aspect is the security of the processing. More specifically, you need:

a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

A big change as opposed to the current Data Protection Directive is the shared responsibility between the controller and the processor. Until now, the responsibility always fell on the controller, who was responsible for choosing any processors wisely. This responsibility still exists in a certain manner. However, if the data breached is attributed to the processor they will be held responsible. That being said, both the controller and the processor must implement appropriate technical and organizational measures to ensure security.

But what does “appropriate technical and organizational measures” mean exactly? The phrase is meant to cover everything from technical controls to policies and procedures within the organization. Deciding which methods are needed is left to the judgement of the controller and the processor according to the circumstances of the processing.

The four essential attributes of security controls

Security controls represent how you actually process the security of an information system. They must all work properly and even if only one fails, a notification must be provided. There are four main attributes of security controls: confidentiality, integrity, availability and resilience.

Confidentiality means that data should be accessed only on a need-to-know basis. Integrity refers to keeping data accurate and complete at all times. Availability means data will always be accessible when needed for any business activity. Finally, resilience, which is new to EU data protection law, refers to the ability of the data to withstand and recover from errors or threats.

As a conclusion

It is important to understand that security is more than just passwords or encryption or MFA. In order to ensure real security, that can withstand attacks, hence minimizing the risk of a data breach, you need to think of security even before you begin processing data. Another essential aspect is a risk based approach. This will usually involve a risk assessment and a data protection impact assessment, as recommended by the GDPR. This type of approach will help understand the risks that come with the processing and it will help organizations choose security measures appropriate to the risk level.

In short, figure out what data you process, why you do it, how you store it and what the impact of the operations you perform is. Have clear and concise policies and procedures in place and make sure all employees understand and follow them. Define access levels within your organization if appropriate and then decide what other security methods you need to render data useless in case of a breach. This comprehensive approach to security is probably the most important change the GDPR will bring in this area and, if done correctly, it will help lower the number of disastrous breaches.

Photo credit: Visual Content via / CC BY


About the author

Laura Vegh is the Chief Security Officer at, a passwordless security solution. She has a PhD in Systems Engineering, focused on cyber-physical systems security.