If you go through all of the 99 articles and the 173 recitals of the GDPR, you will read 89 times that you will need to have “appropriate technical and organisational measures” (or TOM’s) in place to ensure the security of the personal data that you process. Despite the constant mention of this term, the GDPR is not so generous when it comes to defining or explaining what those measures can consist of. So in this article, we will try to shed light on that, by giving you examples of the most common TOMs used by privacy professionals worldwide to protect personal data.
In general, as a data controller, you have the obligation to ensure the security of the personal data, in accordance with the principle of integrity and confidentiality. Having appropriate TOMs in place will help you prevent data breaches and compliance with the principle of data protection by design. In your record of processing activities you should also include a general description of the TOMs you are applying. Additionally, you shall also use only processors that can provide essential guarantees that they have appropriate TOMs in place.
The risk-based approach – “appropriate technical and organisational measures” explained
Wherever you read about TOMs in the GDPR, it is accompanied by the adjective “appropriate”. Before we dive into specifying the TOMs, it is important to understand the meaning of “appropriate”. The requirement to use appropriate TOMs is good news, because that means that the GDPR does not require absolute security, but it adopts a more pragmatic approach. That practically means that you are not breaching the GDPR every time you suffer a data breach; in other words operational failure does not equal legal failure.
What you have to do, whether you are a controller or a processor, in order to comply with the GDPR requirement, is to carry out risk assessments once you decide which TOMs you will apply and document them. Documentation is important for compliance with the principle of accountability, if you are a controller, and you are required to demonstrate that you are compliant.
For this assessment, you need to consider the following:
-the nature of the personal data (whether special category, confidential, public etc)
-the possible threats and vulnerabilities of the systems
-the state of the art, that is industry best practices and not average practices
Technical measures can be defined as the measures and controls afforded to systems and any technological aspect of an organisation, such as devices, networks and hardware. Protecting such aspects is crucial for the security of personal data and is the best line of defence against data breaches. Here are some of the most common technical measures you should consider:
- Cybersecurity – This is an area too large to cover in detail in this article. At the most basic level, firewalls, malware scans, anti-virus protection, patches and updating the software when required are the most common technical security measures to apply in order to safeguard the personal data you process against cyber attacks.
- Encryption and pseudonymisation – Although the GDPR is intentionally general when it comes to TOMs, these two technical security measures are the only ones directly recommended by the regulation.
- Physical security – Implement robust measures and protocols for securing access to any office or building and ensure that all employees are aware of such controls, which can include CCTV, security lighting and alarms, and access logs. Check in visitors in accordance with a predetermined procedure and make sure they wear a badge and that they are not left alone.
- Appropriate disposal – Disposal of paperwork and devices that contain personal data must be done in a way that personal data cannot be retrieved by an unauthorised person, whether intentionally or unintentionally. Consider shredding documents that you no longer need and the secure disposal of digital databases and hardware devices.
- Passwords – Most of the time passwords are part of the general Information Security strategy. Apart from having a policy in place for setting strong passwords, ensure that documents containing sensitive data are password protected.
- Access rights – Make sure that access to databases containing personal data is granted on a need-to-know basis and that there is no blanket access to all employees. This is really important given the recent fines to healthcare providers by the Swedish data protection authority, who did not assess which employees need to access certain data and granted general access to all employees.
Organisational measures may consist of internal policies, organisational methods or standards, and controls and audits, that controllers and processors can apply to ensure the security of personal data.
They may contribute to ensuring consistency in the protection of personal data during the full cycle of the processing. They can include, but are not limited to:
- Information security policies – whose scope and content will depend on the size of the organisation and the type of processing activities.
- Business continuity plan – regardless of size, all organisations should have policies and measures in place to back-up business data (which include personal data) and ensure that it can be recovered and maintained in the event of an incident.
- Risk assessments – Apart from being a legal requirement, risk assessments which develop mitigation solutions can constitute an effective preventive measure.
- Other policies and procedures – having robust and easy to follow policies and procedures helps an organisation and its employees to know what their obligations are and what to do if certain situations occur. Examples could include a clean desk, bring your own device, remote work policies, data breach or DSR procedures.
- Awareness & training – Developing a culture of security and data protection awareness ensures that employees know the legal requirements and what is expected of them. Security and data protection is not a one-man-show, every employee has a role to play. Regular and ongoing training as well as raising awareness activities can be an effective measure.
- Reviews & audits – Having policies and procedures in place is not enough. You need to make sure that they are effective. Therefore, it is important to establish controls and audits to evaluate the effectiveness, correct what is not working and improve whatever could have been done better.
- Due diligence – You as a controller may be held liable if you are using a processor which cannot guarantee that they have implemented appropriate TOMs to ensure the security of personal data. It is important to establish due diligence checks before you commit to a processor and to regularly check in with them to make sure they comply with their obligations.
Applying appropriate TOMs has a central role in the GDPR. This is also illustrated by the fact that DPAs across the EU issue fines when controllers fail to apply appropriate TOMs. As stated earlier, the EU legislator is pragmatic and realistic and does not require absolute security (which is a utopia). You need to do your best to ensure the security of personal data you process and be able to prove it. Risk assessments on a case-by-case basis are your tool to compliance!