Security measures

Security requires customisation

Security requires customisation. This means that you will have to determine for yourself what is necessary for your specific processing operations. That is why a good security plan starts with a risk analysis. Based on this analysis, you determine the security measures that are appropriate to your processing operations and the privacy risks for the people whose data you process.

Make a risk analysis

Your security level must be in line with the risks that a data processing entails. These are both the business risks and – in particular – the privacy risks for the people whose data you process.

For example, risks caused by unauthorised access, destruction, loss, alteration or unauthorised processing of personal data. Regardless of whether this happens accidentally or intentionally. The more significant the consequences may be, the better you will have to secure the personal data.

When doing so, you have to take into account:

• how likely it is that a security incident (including a data breach) will arise;
• how serious any incident is for the people whose data you process.

Note: Do you use a legacy system (outdated system)? Then this increases the chance of you running security risks.

Help with risk analysis

For identifying the risks you can look at, for example:

• recital 75 of the GDPR;
• external reports of the National Cyber Security Centre (NCSC);
• external reports of the General Intelligence and Security Service (Dutch abbreviation: AIVD).

You can use security standards for making a risk analysis.

Importance of risk analysis

The risk analysis is important for determining which security measures are proportionate to the risk level of processing and are therefore ‘appropriate’ to it. For example, stricter requirements for security apply if the data are more privacy-sensitive and therefore result in higher risks. A medical file, for example, results in a higher risk than an email address.

For more information about the risk analysis, see: Preventing data breaches or mitigating consequences.

Determine the measures

Pursuant to the GDPR, you are obliged to take ‘appropriate technical and organisational measures’ to protect personal data. What is appropriate depends on:

• your organisation;
• your specific personal data processing operations;
• the vulnerable parts identified by you.

There is, therefore, not one ready-made plan that guarantees security for each and every organisation.

As a general rule when determining which measures are appropriate, the security measures taken by you must be proportionate to the risk level of a processing operation. If this is the case, the measures taken are appropriate. You have determined the risk level in your risk analysis.

Then you consider the following points when determining possible security measures:

• the state of the art;
• the costs for proper security of the data;
• the nature, the size, the context and the purpose of processing.

Then you will have to strike a balance between the risk level of processing and the measures taken to secure the data processed. The higher the risk level, the stricter the associated appropriate measures.

An example of a security measure is the use of modern, ‘state-of-the-art’ techniques. But you should not look at technique only. Also take a critical look at how you, as an organisation, handle personal data. For example: which data do certain employees need to do their job, and which data do they not need? These are the organisational measures.

It is important that you in any case consider measures that are necessary for:

• safeguarding the confidentiality, integrity, availability and resilience of your processing systems and services;
• in the case of an incident, restoring the availability of and access to the personal data in a timely manner;
• checking at regular intervals whether the security measures taken are still sufficiently effective, for which you use a plan-do-check-act cycle.

Do you want to know which technical and organisational measures are possible? Read the page Examples of security measures.

Security by processor

Do you engage a third party to process personal data on your behalf (a processor)? Then you will have to determine in advance if this processor takes sufficient measures to secure the data. Are these security measures insufficient? Then you are not allowed to engage this processor.

Note: You remain the party responsible for compliance with the GDPR if you engage a processor.

Accountability

Bear in mind that under the GDPR, a duty of accountability applies. This means that you do not only have to take appropriate measures to secure the personal data you process, you must also be able to demonstrate that you have taken these measures and that they are sufficient. The Dutch Data Protection Authority may enquire after this.