Is your data security "appropriate" enough

If you ask anyone about data protection compliance, there's a good chance they'll immediately jump into talking about security. Whilst the "security" data protection principle is an important one, it is just one of seven other principles which are equally as important, but it's the one that resonates most with business people because bad data security is not only a breach of the principle, it can also lead to lack of confidence in your business processes by your customers, business continuity issues (you're having to firefight taking you away from the day job) and of course there's the GDPR duty to report to consider and at the end potential for a GDPR fine (viz BA and Marriott).

The GDPR requires you to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". If you ask the ICO about what that means, they'll leave it up to you to decide, you've just got to hope you get it right and if it comes to the crunch be able to demonstrate you did everything possible and that your best was indeed "appropriate".

So what is appropriate security? This is the tricky bit. If you look at what Article 32 of GDPR says about security you'll see mention of encryption and references to being able to demonstrate the ongoing integrity and confidentiality of personal data. In reality though, the security principle is about introducing whatever level of security is necessary to ensure it remains free from unlawful access, loss, destruction or disclosure and that means that you have to consider every possible scenario of what could cause a security incident and ultimately a breach.

When people ask me about data security from a GDPR perspective I usually use, as an example, the case of the care worker who took home, on a laptop, sensitive information relating to care home residents and employees. The laptop didn't have appropriate security in place, it was stolen during a burglary at the employee's home and this led to a £15k fine because the care home hadn't put in place appropriate measures to secure the data on the laptop and hadn't made sure appropriate security was implemented by the member of staff when taking work home. No one expects their house to be burgled after all, but that doesn't detract from the fact the employee should have done everything they could possible to make sure the data was secured, both from security on the laptop point of view, to how it was kept overnight at her home.

So appropriate security means you have to think outside the box in terms of determining what risks exist with the personal data and what you to mitigate those risks. Encryption of the data may be the answer, but it may be unnecessary and an encrypted hard disk alone will not stop someone being able to access the data if the login password is poor, and so on.

Essentially, there is no quick answer and no "one size fits all" solution. You need to think outside the box, assess where your data is being processed and what needs to be put in place. Furthermore, it's not just about what you do technologically, you need to think about your people - what are they doing that could breach security, what can they do to ensure security? Give them the tools to not only understand the importance of security, but to allow them to think outside the box with what they do with personal data - remember, unintentionally, your employees could be your highest security risk.

At a very basic level, from a GDPR perspective:

1. Make sure everyone in your organisation that comes into contact with personal data understands GDPR and what the data security principle means in practice. You should back this understanding up with training and internal IT and security policies
2. Implement all the technological options you have at your disposal: if you can easily encrypt a hard-drive on company laptops do so; if two-factor (or two-step) authentication is available in applications, turn it on by default; if your software allows you to force password resets after a suitable period of time, make use of that functionality, and so on... And always make sure your software is patched and up to date
3. Use data protection by design concepts and data protection impact assessments to identify security risks so you know what you're looking to address and work out how to fix them, from the outset not as an afterthought
4. Test and check - make sure what you're doing is working, don't just make some initial effort and not revisit or test it still works (you could consider using some penetration testing techniques). Also consider monitoring access/server logs to see if you see any anomalies
5. Document, as much as you can, your approach and procedures so you can demonstrate you've done the best you can, just in case the worse case scenario does happen and you're having to explain your actions to the ICO

Sadly, I'm increasingly seeing businesses approaching GDPR compliance as they do cyber-security with a "it'll never happen to me" attitude. If you suffer a breach of personal data, it could destroy your business (ICO investigation, large fine, bad-PR, loss of customers) - can you afford to take the risk?

So, you have to decide: is your data security appropriate?