The following examples of technical and organizational measures shall further concretize the concept of security in the GDPR.
Measures in support of integrity
- One of the classical technical measures to support integrity is transactional processing. It is best known from data base management systems, but is also possible in other settings. Transactions are important when an operation that takes the system from one consistent state to another is composed of multiple processing steps (i.e., it is not “atomic”). A transaction then makes sure that either all these steps or none are applied, even if the system should crash in the middle. It thus guarantees that the system always remains in a consistent state.
- Inconsistencies can arise due to transmission errors in noisy communication lines. The technical measure of forward error correction that is built into modern communication protocols thus supports the integrity of data during transfer.
- A common technical measure to detect undesirable changes in data sets uses checksums (aka. hash or digest). In particular, a checksum of a set of data is computed when it is known to be in a consistent state. At later points in time, the checksum of the data set can be newly computed and compared to the initial one in order to detect changes and corruption.
- Integrity is an important issue in the distribution of software—in particular if software is downloaded automatically over a network. Automatic updates of operating systems are a prime example. To support integrity of the software, technical measures such as authentication of sources on the network and digital signature of software are often used. Digital signature is often also used for data files.
Measures in support of confidentiality
- A design-time organizational measure in support of confidentiality is an analysis of the consequences undesired disclosures to various parties can have for data subjects. This is comparable to IT security where the critical assets of the organization that need particular protection are identified.
- Confidentiality mandates that the controller implements measures to protect against unauthorized processing (see Art. 5(1)(f) GDPR). As emphasized in Art. 29 and 32(4) GDPR, this includes that employees only process personal data on instruction and as instructed by the controller. There are a multitude of organizational measures that support this requirement, including the following:
- Vetting of new employees to ensure the necessary skills to execute the controllers instructions;
- Legal means that “ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality”. (The wording is taken from Art. 28(3)(b) that refers to persons working for processors, but is equally applicable to persons working for the controller).
- In this sense, also the contracts with possible processors (see Art. 28(3) GDPR) that pass on confidentiality requirements must be considered as measures.
- Training of employees on how to execute instructions;
- Internal contact points for employees who want to clarify how to execute instructions;
- Manuals that describe the instructions (process manuals);
- Supervision and quality control.
- What holds for instructions to human resources also holds for instructions for technical resources, i.e., software. Implementing measures to protect against unauthorized processing means that controllers have to ascertain that the software actually corresponds to their instructions. There are several measures for this purpose, including the following:
- Specification of precise requirements as input for tenders or for custom development of software;
- Formal acceptance testing by the controller;
- Analysis of new versions of software to ascertain that changed functionality still corresponds to the controller’s instructions and that no additional functionality has creeped (function creep) that corresponds to processing that has not been authorized by the controller.
- An important technical measure is access control that enforces that only authorized personnel can access the systems and data for authorized purposes. Access control can entail a multitude of measures, including the following:
- Issuance of authentication credentials.
- Configuration of access rights and conditions.
- Management of the life cycle of credentials and access rights, including expiry and renewal, revocation (e.g., when employees leave), granting and revoking temporary access rights (e.g., when employees are sick).
- Regular audits of the overall effectiveness of the access control system.
- There is a wealth of technical measures aimed at preventing unauthorized (internal or external) persons to access data. Usually, they are referred to as protection of data at rest, in transit, and in use. The former two aspects typically require encryption.
- There is a wealth of measures to prevent unauthorized persons to gain access to systems and networks. Examples include the following:
- Hardening of operating systems;
- Timely application of security-critical patches and updates;
- Installation of anti-malware software;
- Operation of intrusion detection systems;
- When developing software, many measures are available to prevent unauthorized access to software and systems, including input sanitation, prevention measures for known kinds of attacks such as cross site scripting, methods that prevent buffer overflows, memory randomization, etc.
- Some measures are unable to directly prevent unauthorized processing, but acts as a deterrents by helping to detect such action, clearly determine responsibility, and enable to hold persons who acted without authorization accountable. Such measures typically involve logging or the creation of audit trails.
- An important measure associated with the end of life of storage components include the complete and secure destruction of all data before disposal.
Measures in support of availability and resilience
- A design-time organizational measure is the analysis of the impact of accidental loss on data subjects. This aims at identifying the assets that have to be protected by availability measures.
- Another design-time measure pertains data portability and investigates the availability of suitable standardized machine-readable formats that are available and possibilities to automatically transfer the data to another controller (see Art. 20(2) GDPR).
- A very common kind of measure in support of availability is the redundancy of storage. Well-known examples include the following:
- RAID storage;
- Remote storage in support of disaster recovery.
- Beyond data storage, redundancy may also be important in processing systems. According measures include the following:
- Master/Slave configurations with fail-over;
- Server farms and cloud configurations;
- Virtualization-based process migration strategies.
1For examples of transactional processing outside DBMS, see for example https://en.wikipedia.org/wiki/Tuxedo_(software) and https://docs.oracle.com/cd/E13222_01/wls/docs81/jta/trxejb.html (both last visited 20/05/2020). ↑
2See for example, https://en.wikipedia.org/wiki/Forward_error_correction (last visited 20/05/2020). ↑