There are 72 hours to go until GDPR Day (#privmas), and you can almost feel CISOs hoping that, if there’s going to be a breach, it happens today and not on Monday. We noted once before that Andrea Jelinek, chair of the (very important) Article 29 Working Party deadpanned that “there will be a two day grace period [for GDPR], because it goes into effect on a Friday.” But then, that’s not exactly true, because it you’re hacked this Saturday, it’s still the GDPR that applies, and not the Data Privacy Directive. Hilarious!
GDPR security is no laughing matter, of course (and maybe that’s why my GDPR jokes never seem to land at parties). In fact, along with transparency and consistency, we believe that security is one of the three pillars of the GDPR. Security is both a means and an end under the Regulation. It represents the steps that you take to safeguard information as well as a state of being for that information when it is at rest. Without security, none of the goals of the Regulation can be achieved, but they do come with burdens.
Those burdens are, as we have discussed, substantial. Yet despite the uproar we’ve heard in recent months, the reality is that GDPR’s security obligations are flexible, and designed to evolve with the times and technology. By directing pegging security to “the state of the art,” the Regulation ensures that there will be a moving baseline of technological safeguards, a development that starkly contrasts with US law. In other words, if you’re still using the same technology to secure data in 2028 as you are today, no matter how good today’s technology is, you may well violate the Regulation. It’s probably time to upgrade from your Commodore 64.
The security obligations in the GDPR are also modular, in that what constitutes adequate security for one company, in one sector, may be entirely inadequate for another. Article 32 states that adequacy depends upon “the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” This is a crucial distinction, because it allows companies to create security programs and platforms that meet their needs, and not a arbitrary benchmark.
Here’s an example. Imagine a coffee shop in Ireland, which collects names, email addresses, and phone numbers from its customers. It’s also located down the street from Google’s EU headquarters. Both Google and our coffee shop are subject to the GDPR, but the scope, cost, and complexity of their security operations will vary, greatly. In other words, there is no one-size-fits-all approach to data security, and the Regulation recognizes that.
More broadly, the security provisions in the GDPR give effect and meaning to the promises of respect for individual privacy and dignity. For Americans (especially lawyers), it might be helpful to compare the security requirements of the GDPR with the Fourth Amendment to the Constitution. The Fourth Amendment guarantees protection against “unreasonable searches and seizure” not only for people, but for their “houses, papers, and effects.” The reason for that protection is simple: without a safeguard against unreasonable arrest or search, there cannot be free speech, a free press, or a lawful criminal prosecution. The Fourth Amendment, then, is the practical guarantee for other rights. But, of course, it only applies against government action – you have to sue in civil court for wrongs committed by private actors, and who doesn’t love civil litigation?
The GDPR has a similar relationship between the philosophical (e.g., Article 5’s description of how and why data may be processed) and the pragmatic, embodied in Article 32’s demand for adequate security measures. Like the Fourth Amendment, the GDPR is about real-world conduct, and emphasizes the effect of security on natural persons (though, unlike the Fourth Amendment, its scope goes beyond governments, and places burdens directly on private actors.) Its purpose is to not only empower people to have control over their data, but to give them assurance that it has not been compromised. That is why the reporting requirements are so onerous and why the breach notification deadlines are so short: security and accountability are inseparable when it comes to safeguarding data.
Thus, when you approach your data security planning, bear in mind not only the fact that security is important to regulators, but why it is important. If data is not safe, it can never be private, it can never be portable, and data subjects will never have meaningful control over their online identity. That’s why security is a pillar of the GDPR – without it, none of the rest is possible.