Appropriate Measures for Security: Investigating Legal and Technical Requirements under the GDPR

The General Data Protection Regulation (GDPR) has been in force in the EU since May 2018, but there is still much uncertainty on how to meet its demands in practice. For instance, in its Article 32 the regulation defines that the data controller “shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The GDPR gives some indication on the aspects that should drive the decision on appropriate measures, but it admits multiple interpretations. Thus, when reading the regulation’s demands, one question resonates: How to devise and put in practice technical measures suitable to guarantee such technical and legal demands from Article 32? This is the driving question of this project.

If on one side we lack concrete guidelines on how to comply with GDPR’s demands, on the other, information on what is not compliant is already available: approximately 90 fines have been applied on the basis of violation of Article 32. This project foresees the analysis of the decisions issued by the Data Protection Authorities (DPAs) imposing fines for the breach of Article 32 GDPR. In particular, it will look at how the DPAs interpret and apply the factors mentioned in this provision, and it will map findings regarding the security of data processing into tangible and concrete guidelines to help the implementation of suitable security measures. This interdisciplinary project combines topics of information security (Dayana Spagnuelo), and in human rights law (Magdalena Jozwiak).

Academy Assistants

Maria Konstantinou: ‘As a law student, I am working on the legal side of the project. My work includes researching the scholarly literature on the risks resulting from a privacy and data protection infringement and analysing the DPA decisions to detect the non-compliance mistakes and concretise the appropriate organisational measures under Article 32 of the GDPR.’.
Tina Marjanov: As a Computer Science student, I am working on the technical side of the project. This includes researching the state of the art standards and requirements in the field of information security and then analyzing the DPA decisions to extract the common mistakes and formalize technical guidelines for compliance with the GDPR article 32.

Supervisors