While Art. 5(1)(f) GDPR states abstractly, that “appropriate technical or organizational measures” shall be used to implement the above mentioned security protection goals, Art. 32 GDPR provides further detail.
Art 32(1), states that when deciding on appropriate measures, controllers shall take into account “the state of the art and the costs of implementation”, as well as “the nature, scope, context and purposes of processing”. In particular, the context of processing is of relevance here, since it can be argued that the current threat landscape is an aspect thereof. As expected, the controller shall also take into account “the risks forthe rights and freedoms of natural persons”.
So the required level of protection clearly depends on the severity of the possible undesirable consequences that data subjects are exposed and a threat model that estimates the likelihood of undesirable events. Security is thus only a means, not an objective in itself. The level of security is sufficient, when the risks for data subjects are mitigated down to an acceptable level. The selection of measures depends both on what the market has to offer and how cost-effective these measures are.
Art. 32(1)(d) GDPR states the well-accepted concept that security is a process, not an objective that is reached once. In particular, the GDPR requires “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing”.
Art. 32(2) GDPR provides marginal additional detail about what the protection goals entail, enumerating “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed”.
Art 32(3) GDPR suggests that “[a]dherence to an approved code of conduct or an approved certification mechanism may be used as an element by which to demonstrate compliance” with the principle of integrity and confidentiality.
Art. 32(4) GDPR clarifies that an important element of security is to ensure that employees act only on instruction and as instructed by the controller. This is necessary to establish clear responsibility and accountability. It is also necessary to ensure the requirement of Art. 5(1)(f) to “protection against unauthorized or unlawful processing”.
From Art. 25 GDPR, it follows that all requirements posed by the GDPR, including security, have to be considered throughout the life cycle on the processing activity. The GDPR thus also requires security by design and default. Security thus has to be considered also at the start of the life cycle, for example through according requirements used for a tender; and at the end of the life-cycle, for example when migrating operations to a new processing system and dismantling the old one.
Art. 30(1)(g) GDPR requires to specifically list the technical and organizational security measures in the records of processing that are targeted at supervisory authorities.