The Relationship between Cyber Security and GDPR

Introduction 

Recent research has shown that there is some confusion about the relationship between GDPR and cyber security. In the Cyber Security Breaches Survey 2019, despite 88% of businesses being aware of GDPR, only 58% knew that organisations can incur fines for cyber security breaches that involve personal data. Rather interestingly, only 30% of businesses said they had made changes to their cyber security policies or processes as a result of the new legislation. The Survey also found that even in cases when cyber security was being considered, it was not being done so holistically, and, while “not the case for all organisations, some appeared to use the terms data protection and cyber security interchangeably.”  

Is Cyber Security a part of GDPR? 

In a word, yes. Under the GDPR, any organisation processing personal data is required to do so securely. The relevant provision is contained in Article 5(1), which the ICO refers to as the GDPR’s ‘security principle’. It says that personal data shall be:   

“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational methods”    

This means is that your organisation must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. If you are using information systems to process personal data, you will need to ensure you have appropriate cyber security controls in place.    

Furthermore, you will need to consider the ‘security principle’ alongside Article 32 of the GDPR, which provides more specifics on the security of your processing. It states:   

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”   

What level of Cyber Security is required? 

The GDPR does not define the security measures you should have in place, nor does it specify a minimum standard. As can be seen from both Article 5(1) and Article 32, what it does require is a level of security ‘appropriate’ to the risks presented by your processing.  You will need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.  

What should my organisation do next? 

The GDPR’s rather vague security requirements can seem frustrating. But when thinking about what cyber security measures to put in place, the ICO recommend you bear the following in mind: 

• Your cyber security measures need to be appropriate to the size and use of your network and information systems  
• You should take into account the state of technological development, but you are able to consider the costs of implementation  
• Your security must be appropriate to your business practices. For example, if you offer staff the ability to work from home, you need to put measures in place to ensure that this does not compromise your security; and 
• Your measures must be appropriate to the nature of personal data you hold and the harm that might result from any compromise. 

At Apomatix, we have an automated solution that will help you quickly and efficiently assess your GDPR compliance risks, including those related to cyber security. You can then use our platform to treat your company’s risk.