Security of Personal Data

A storage room to keep personal data secure
Secure storage room

Security of Personal Data can be achieved when the data is protected by the appropriate controls in relation to the sensitivity of the data. The GDPR does not prescribe exactly what level of security that is required but provides guidelines.  

Reading time: 2 minutes.

What is security of personal data

Organizations using personal data must protect the data with a level of security appropriate to the risk for the individuals the data poses should it be misused. When deciding what is “appropriate”, you should consider the type of data, the context of how and for what purposes you intend to use it. It is also relevant to consider the possible risks of the intended use, destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Security of personal data is regulated by article 32 of GDPR. This article and the recital 78 of GDPR sets out principles of what is a good security practice. Elements of a good security practice are:

  • using pseudonymization and encryption techniques;
  • ensuring confidentiality, integrity, availability and resilience of processing systems and services;
  • having processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures.

In terms of assessing whether a security measure is appropriate or not, you must know information security at a level sufficient to understand if the processing complies or not. You will have to look for further guidance in information security certification frameworks and control catalogues. Some relevant examples to secure personal data include:

  • ENISA has developed the framework for privacy by design to use when developing systems and programmes;
  • ISO/IEC 27002 is a standard for security techniques providing guidelines for selecting, implementing and management of various security controls;
  • ISO/IEC 27005 is a standard for information security providing guidelines for risk management;
  • NIST Framework Special Publication 800-53 is a standard with catalogues of technical controls.

Examples of controls

To secure personal data, the following security measures are considered good practice:

  • Data minimization – e.g. minimizing the personal data used for a specific task,
  • Access control – e.g. control access to rooms with key cards and install alarms,
  • Integrity control – e.g. user authorizations are restricted to tasks or roles (HR department only files),
  • Pseudonymization – e.g. replacing parts of personal data to appear as non-personal data, although possible to retrace to the person,
  • Encrypt hardware or use an encrypted cloud service,
  • Use transmission controls to ensure that personal data is safe in transit or SLL certificates for websites,
  • Confidentiality – e.g. Set password policies, include non-disclosure obligation in contracts with consultants or others accessing personal data,
  • Recoverability – e.g. control backups to ensure a successful recovery,
  • Privacy by design and privacy by default – principles from ENISA that should be used when developing and designing systems and programmes,
  • Evaluation – e.g. regular review and improvement of your information security processes and safety measures.

Keep in mind that some technical controls trigger the requirement to perform a Data Protection Impact Assessment (DPIA) before you start processing.