Appropriate technical and organizational measures
As mentioned under the heading "What are your obligations?", the controller must ensure that data protection is handled through "appropriate technical and organizational measures".
What "appropriate" is, is in particular up to an assessment of the risks that processing entails for data subjects and, where appropriate, an impact assessment on data protection. You must also be able to demonstrate that you have taken measures that meet the requirements of the data protection rules.
As a contribution to this assessment, different standards and guidance texts can help you finding tools as well as generic lists of potential threats and measures:
However, compliance with or certification in accordance with one of the standards or guidelines mentioned above does not mean that The General Data Protection Regulation has been complied with.
Certain tools that may contribute to the protection of personal data may be referred to as Privacy Enhancing Technologies because the protection of privacy and the protection of personal data are linked.
Achieving the objectives of personal data protection requires a professional, structured and systematic approach, and especially in large and medium-sized organizations, it also requires the focus and support of management.
As IT projects often are complex and with many participants, it is typically helpful if a project model that ensures sufficient time and resources at the right times in the timetable is used, for example for identifying legal requirements, risk assessment/impact assessment and implementation of data protection through design and default settings.
Safety of processing
An important part of the “protection of personal data” deals with processing security.
As a data controller or processor, you are responsible for protecting the personal data against unauthorized or unlawful processing and from accidental loss, destruction or damage, by means of appropriate technical and organizational measures.
For example, if personal data come in unauthorized persons possession, is changed, damaged or lost, it may infringe with the rights of individuals. Therefore, you must ensure the confidentiality, availability and integrity of personal data.
How to handle personal data
The use and handling of personal data must take place reassuringly and with an appropriate level of security and privacy protection. The level of security must reflect the actual risk of data being stolen, lost, damaged or processed illegally.
If the risk is likely to be high, the processing of personal data must not be initiated until an impact assessment on data protection and, where appropriate, consultation with the Danish Data Protection Agency has been carried out.
When IT solutions are designed and developed, data protection must be considered from the outset, and default settings must ensure that only the personal data necessary for the purpose of processing are processed.
If things go wrong and you become aware of a personal data breach as a data controller, you must notify the Danish Data Protection Agency without undue delay and, in some cases, to the persons whose data are affected by the security breach. Processors who become aware of a data breach must inform the controller without undue delay.
You can report security breaches here.
Protection of personal data from cradle to grave
The development, purchase, adaptation, testing, use, maintenance and settlement of an IT system are all phases where you, as a data controller or processor, have the opportunity to influence the protection of personal data.
During phases such as development, procurement and adaptation, data protection must be incorporated into the design and default settings.
Security tests are particularly relevant for new IT systems and for changes in existing IT systems, but here we are not talking about user tests where you primarily test for intended functionality. Security tests are primarily about finding out how the confidentiality, integrity or accessibility of personal data can be adversely affected. It is typically a test of the effect of the measures – whether they work as intended and whether they are adequate. These tests typically require specific expertise and tools, such as:
- Test of bypassing login (including issues such as ‘brute force’ attacks, session management, issuance of new log-in, single-sign-on).
- Tests for inaccessibility, e.g. through congestion attacks or the exploitation of vulnerabilities.
- Vulnerabilities tests for e.g. a web application.
- Code review of e.g. an app for smartphone.
- Penetration tests on e.g. network equipment and servers.
Other relevant security tests may be about whether users can be tricked into handing out a personal password to an IT system. Testing of the physical protection of personal data may be about testing e.g. burglary protection, alarm systems, emergency power and fire extinguishing equipment.
In relation to the maintenance/settlement/disposal of IT equipment, the protection of personal data is about the effective deletion of this information from equipment that is no longer used.
During the period when the IT system is used for the processing of personal data (ordinary operation), you must also consider the protection of personal data. The established protection may cease to be sufficient because the processing of personal data, and the context in which it occurs, usually changes over time. However, even if the processing or context does not change, new threats arise which will enable the measures already in place to cease to be sufficient.
In order to maintain a certain level of protection of personal data confidentiality, integrity and accessibility, the data controller/processor is responsible for regularly testing, assessing and evaluating the effectiveness of the existing technical and organizational measures. This applies to all the measures at all stages from cradle to grave.
Ransomware is an example of a relatively new threat that has caused some data controllers to take new actions. The same applies to physical security in relation to the protection of personal data, where, for example, the threat of rising water and flooding changes with the climate.
Defense in depth with IT security
“Defense in depth” is an old military term, but it is also used in IT security because many of the same challenges arise when it comes to protecting data from malicious attacks as well as from deliberate or unconscious abuse. It is a recognition of the fact that effective data protection cannot be achieved by a single measure.
A firewall does not provide full protection because it may be bypassed due to a vulnerability in the software, a necessary network opening has been established through the firewall or because malicious software has entered via a USB-connected device, or for any other reason. However, if a firewall is bypassed it should not mean that the personal data on a company’s internal network are completely unprotected.
The aforementioned technical and organizational measures must therefore constitute several layers which together provide adequate protection for personal data. Various measures reduce or eliminate different risks, and therefore each of them increases the protection.
Finding the right level of security can be a complex task. Regardless of whether you have expertise in this area or not, it can be helpful if you apply already established standards to guide you through the process. In addition, the Danish Data Protection Agency advises on issues within the Data Protection Regulation and the Data Protection Act.
Trade associations and the like have the possibility of drawing up and approving codes of conduct as a useful tool, especially for small and medium-sized enterprises, to help protect personal data. You can read the Danish Data Protection Agency's guidelines on GDPR codes of conduct here.