Appropriate Measures for Security: Investigating Legal and Technical Requirements under the GDPR

The General Data Protection Regulation (GDPR) has been in force in the EU since May 2018, but there is still much uncertainty on how to meet its demands in practice. For instance, in its Article 32 the regulation defines that the data controller “shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The GDPR gives some indication on the aspects that should drive the decision on appropriate measures, but it admits multiple interpretations. Thus, when reading the regulation’s demands, one question resonates: How to devise and put in practice technical measures suitable to guarantee such technical and legal demands from Article 32? This is the driving question of this project.

If on one side we lack concrete guidelines on how to comply with GDPR’s demands, on the other, information on what is not compliant is already available: approximately 90 fines have been applied on the basis of violation of Article 32. This project foresees the analysis of the decisions issued by the Data Protection Authorities (DPAs) imposing fines for the breach of Article 32 GDPR. In particular, it will look at how the DPAs interpret and apply the factors mentioned in this provision, and it will map findings regarding the security of data processing into tangible and concrete guidelines to help the implementation of suitable security measures. This interdisciplinary project combines topics of information security (Dayana Spagnuelo), and in human rights law (Magdalena Jozwiak).

Supervisors: Dayana Spagnuelo & Magdalena Jozwiak