The General Data Protection Regulation (GDPR) is an EU data privacy law that requires companies or organizations processing personal data, to comply with certain rules.
Some of these rules are about what information you have to disclose to users when you collect or process their data. Other rules are about when you're allowed to collect data at all, and others describe how you should protect the data you collect. The GDPR requires you to process data securely, and has a list of security actions that you need to take to do this. It also sets out a number of principles that can inform your security measures.
This article will cover what personal data is, what the difference between privacy and security is, and what the GDPR requires for security measures.
Let's begin.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is Personal Data?
- 2. What is the Difference Between Privacy and Security?
- 3. What Does the GDPR Require for Reasonable Data Security Measures?
- 3.1. Pseudonymisation and Encryption
- 3.2. Confidentiality, Integrity, Availability and Resilience of Processing Systems
- 3.3. Ability to Restore Systems if an Incident Occurs
- 3.4. Regularly Testing, Assessing and Evaluating Effectiveness
- 4. GDPR Principles
- 4.1. Data minimization
- 4.2. Purpose limitation
- 4.3. Storage limitation
- 5. Summary
What is Personal Data?
Personal data is information that can be connected to, and identify, a natural person. This could be individual pieces of information that are identifying, such as a full name or social security number. It can also include information that can be combined to identify an individual.
Some examples of personal data are:
- Name
- Email address
- Physical address
- Birthdate
- Social security number
- IP address
- Banking information
- Health information
- Religion
- Credit card number
Now let's look at privacy and security and how they relate to personal data under the GDPR.
What is the Difference Between Privacy and Security?
The GDPR sets out rules to protect the privacy rights of individuals. Privacy is a right that individuals have relating to how they control their personal data. This could be with regard to collection, use, disclosure, transfer, sale, storage, or deletion.
Security relates to how this personal data is protected. It is a set of processes or measures, whether technical or organisational, that ensure personal data is kept safe from breach, loss, or exposure.
The GDPR requires you to take steps to protect both privacy and security. Security is one of the important pillars of the GDPR that helps reduce risks to data subjects.
Now let's take a look at what the GDPR requires for data security.
What Does the GDPR Require for Reasonable Data Security Measures?
In many privacy policy policies, security clauses state that they use "reasonable measures" to protect user security. Here's one example from OpenAI:
Here's another example from Pew Research:
But what does "reasonable measures" mean?
The GDPR requires that you use "appropriate technical and organisational measures" to process and store personal data securely.
You can see in Article 32 of the GDPR that you should take into account a number of factors to ensure data security:
The factors that you are required to take into account include:
- The state of the art (of security technology)
- The costs of implementation
- The nature, scope, context and purposes of processing
- The risk of varying likelihood and severity for the rights and freedoms of natural persons
This means that if there is a new, cutting-edge, effective technology that is very good at protecting data, you should use it. However, if you're a smaller business without a large budget, you can use less-expensive tools if necessary.
If you're processing highly sensitive data like health information, you would be expected to use higher-quality tools.
On the other hand, if the information you collect is minimal, and is not sensitive, you would take these things into account when you apply tools and processes to protect that information. You still need to protect personal data, but if you're a small startup, and only collecting a username and email address relating to e.g. a word game app, you most likely wouldn't need to apply the most cutting-edge tools on the market because the risks of processing are low, and the risk to privacy rights and freedoms is also low.
Here's an example from OpenText, which describes using security measures that "ensure a level of security appropriate to the risk":
Now let's take a look at the GDPR's suggested measures for ensuring security.
Pseudonymisation and Encryption
Some of the most common approaches to data security include pseudonymisation and encryption.
Pseudonymisation is when you separate data from direct identifiers, so that the identifiers cannot be re-linked to a person's identity without additional information. This would involve replacing these direct identifiers with a pseudonym, which can only be reversed with a special key, which is stored separately.
Encryption changes data into an unreadable format. This unreadable format can only be reversed with a decryption key. Encryption makes data difficult to use, while pseudonymised data can still be used in its pseudonymised form. Usually, encryption is used for storing and transferring data. Pseudonymised data can still be processed.
Here's one example from the Google Privacy Policy that mentions its policy for encrypting data:
Confidentiality, Integrity, Availability and Resilience of Processing Systems
The GDPR requires you to keep data confidential, available, and with integrity. Confidential means that data should only be accessed by those who need to access it. Part of this involves the use of access controls.
Access controls are security measures that determine who can access data and who can't. For example, people in the human resources team may be allowed to see employee pay data, while people in other teams may not have permission.
Here's another example from the Google Privacy Policy that mentions access controls:
Data having "integrity" means you need to make sure that the data is accurate and complete, and cannot be changed by unauthorized persons.
"Available" means that if a data subject asks to see what data you have collected on them, it should be possible for you to provide this to them.
For a data system to be "resilient" it means that it should not be easily broken by threats, attacks, or breaches.
Ability to Restore Systems if an Incident Occurs
One important part of security is that systems should be able to get back online quickly if there is an incident. Or, if there is a breach, a patch or fix should be applied as soon as possible.
If there is a loss of power or other problem with hardware, backup systems should also be in effect so that important security protections are not lost.
Regularly Testing, Assessing and Evaluating Effectiveness
This security measure means that you need to regularly check your security systems to make sure they are working effectively. Good-quality security is an ongoing process, not just a one-off action. You should complete security audits to check the relevant aspects of your security systems and processes. If you identify any vulnerabilities or problems you need to fix these as soon as possible.
Here's another example from the Google Privacy Policy that talks about regularly reviewing systems:
Here's an example from Gen II Fund, which goes through most of the reasonable security measures mentioned in the GDPR, including staff training, administrative and technical controls, access controls, encryption, cybersecurity, and physical security:
Finally, let's take a look at a few GDPR principles that also help you to ensure data security.
GDPR Principles
The GDPR has a set of principles that govern how you should collect data. These include:
- Data minimization
- Purpose limitation
- Storage limitation
While these are not security measures exactly, by complying with these principles you will be much more likely to meet the security requirements of the GDPR. You can see these principles in Article 5 of the GDPR:
Let's take a look at each of these principles in more detail.
Data minimization
The data minimization principle is that you should only collect the data you need, and no more.
While it might not seem like a security measure on its face, collecting less data helps you to reduce the "surface area" of attack. If you have less data, you have fewer vulnerabilities and risks of loss.
Purpose limitation
Purpose limitation means that you limit data collection only to "specified, explicit and legitimate purposes," and that you don't process data for additional purposes.
This principle reduces unnecessary data collection and processing that could increase the likelihood of the identity of a person being exposed.
Storage limitation
The storage limitation principle is that you do not store personal data for longer than necessary.
If you store data only as long as you need it, and no longer, you reduce the risk of unauthorised access, breach, or loss.
Summary
The GDPR is primarily concerned with the privacy of individual persons in the EU. However, it also has some requirements for how you deal with security. Privacy and security are interlinked, and it is hard to protect an individual's privacy rights without good security measures.
Make sure you use pseudonymisation and encryption where appropriate, use access controls, robust systems, and regular audits. Apply the principles of data minimisation, purpose limitation, and storage limitation in all your systems. With these approaches, you'll be in a good position to comply with the GDPR's requirements.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.
