The General Data Protection Regulation (GDPR), which came into force in May 2018, represents a significant step forward in the protection of personal data within the European Union. However, despite its widespread implications, there remains a degree of uncertainty regarding the practical application of its provisions, particularly those related to data security as outlined in Article 32. The NI’s Maria Konstantinou, Tina Marjanov, Magdalena Jóźwiak and Dayana Spagnuelo looked at the fines imposed on organisations’ violations of Article 32 in “Data Security on the Ground: Investigating Technical and Legal Requirements under the GDPR“.

The researchers aim to bridge the gap between the technical and legal interpretations of Article 32 and provide a more realistic view with practical recommendations for compliance with Art. 32. By looking at the fines imposed for violations, the authors find that how sensitive the data is, how vulnerable the data subjects are, and thetype of mist ake (human, organisational, technical) that leads to a breach, are all important factors.  This article also offers a proof-of-concept on how to utilise existing cases and finally, provides a checklist that practitioners may use to prioritise implementing measures in order to achieve compliance.

Figure 1. Article 32 GDPR Security of Processing

Method

At the moment of selection (August 2021), over 800 GDPR fines had been imposed, with about 200 of them related to the security of processing requirement under Art. 32 which this article focuses on. The EU was not tracking fines, therefore the authors used sources from private or non-profit entities that track and collect them (GDPRHub, EnforcementTracker and PRIVACYAffairs). Finally, the researchers selected 50 cases to analyse (25% all Art. 32 cases available at the time) covering 19 EU countries and the UK.

A cluster analysis on categorical data was undertaken to tease out latent non-compliant groups. The authors coded the 50 cases according to the classification codebook below in Table 1.

Table 1. Classification codebook for categorical variables

If there was no data incident, it could mean that the entity was fined for having insufficient organisational measures. Maliciousness refers to whether the threat was accidental or not. Vulnerable data subjects are those persons that due to their physical or mental state (e.g., patients), their age (e.g., children or elderly) or their position of dependence need higher protection. The nature of the data is sensitive if it could involve significant risks to the rights and freedoms of data subjects. The controller is the entity being investigated (a public one would be a hospital or university for instance).

Results

As a result of the cluster analysis, the researchers constructed five discrete groups. The first group consists in entities with insufficient organisational measures. The suggestions to aid this group’s compliance are: separate authorisation profiles depending on needs,
implementation of a single profile per person, regular testing and evaluation of systems, logging access to personal data (i.e. who and when), security risk assessment and mitigation, implementation and adherence to data handling protocols, routines and incident response plans, regular staff training regarding privacy policy and
protocols.

The second group “Non-technical mistakes” often involves small businesses where an accidental breach occurs due to human or organisational factors. The authors re-emphasise the suggestions from the previous group, to increase compliance, further highlighting staff training and awareness raising.

The third group “General breach of personal data” is the most diverse, with the distinctiveness that the data breach often occurs due to outside threats. Recommendations for better compliance should come from all the other groups but technical measures such as multi-factor authentication may feature well here.

The fourth group “Targeted attack” this time involves malicious attacks from the outside. This therefore calls for technical measures to improve compliance such as stress-testing infrastructure to ensure the effectiveness of existing security measures. The fifth group “GDPR compliant” in fact involved entities which were reported due to a complaint but deemed to be sufficiently compliant after an investigation.

The authors additionally report danger points, where infringement of data security under Art. 32 is likely:

• System update, reset, restore or restart (appears in 3 cases);
• Migrations between platforms or versions (3);
• Moving data between physical locations (2);
• Code or system reuse (2);
• Outsourcing to third company or sharing custody of systems
  (5);

Common danger points of primarily organisational/legal nature
include:

• Ineffective accountability framework or lack of clarity in
  contractual obligations between controller and processor
  (4);
• Inconsistent (re)assessment of the effectiveness of organisational measures (6);
• Insufficient assessment of the imminent risk or harm for the
  rights and freedoms of data subjects (4).

Conclusion

From a scientific standpoint, this research is invaluable for several reasons. Firstly, it provides empirical evidence of the challenges faced by organizations in securing personal data. Secondly, it offers insights into the interpretation of GDPR requirements by regulatory authorities, which is crucial for organizations aiming to align their practices with legal expectations. Lastly, it underscores the importance of a proactive approach to data security, emphasizing the need for ongoing assessment and adaptation of security measures in response to evolving threats and standards.

In conclusion, the GDPR represents a complex yet essential framework for ensuring the protection of personal data. The research presented in PoPETs provides a clearer understanding of the regulation’s practical application and the ongoing efforts required to maintain compliance. As the digital landscape continues to evolve, so too must our approaches to data security and privacy, with scientific research playing a pivotal role in guiding these developments.

For those interested in exploring the full details of the study, the paper is available in the PoPETs 2023 proceedings: Data Security on the Ground: Investigating Technical and Legal Requirements under the GDPR.