This article outlines the main developments surrounding the General Data Protection Regulation (AVG) and information security, and the connection between them. The following topics are discussed: the relationship between privacy and information security, laws and standards, ISO 27701 as a framework for the AVG, Data Protection Impact Assessments (DPIA) and dealing with and preventing data breaches.
coauthor: Erie Berhitu
For many organizations, the terms privacy and information security are synergistic, overlapping topics. When you talk about privacy, you often mean information security, and vice versa. Not very surprising, since privacy and information security go hand in hand. Actually, the two concepts differ mainly in one essential area: privacy, in fact, is about using collected personal data correctly, for a particular purpose. Information security, on the other hand, is about the efforts we make to ensure that this data remains confidential, incorruptible and available.
In short, an organization may collect only the personal data needed for the underlying purpose (privacy), but then has a duty to ensure that this data does not fall into the wrong hands, is not inaccurate, and is always available when the situation calls for it (information security). In that respect, privacy and information security have a kind of end-means relationship with each other. Increasingly, therefore, an integrated approach to the two topics is being chosen. Later in this fact sheet we elaborate on this integrated approach using ISO 27701, the latest standard in the field of both information security and privacy.
There was criticism of the AVG's information security provisions from the very beginning. They would not be clear enough, so organizations did not know what measures to take to make their information security compliant. It soon became apparent that the solution to this lay in following certain standards frameworks. For now, privacy is predominantly driven by legislation. Information security, on the other hand, is driven by standards frameworks, such as the ISO 27001 standard. The (somewhat) abstract general legislation on the one hand and the concrete specific standards framework on the other.
The advantage and disadvantage of legislation is that it can be interpreted broadly. The advantage is that you have the freedom to set up privacy and information security as you see fit, without flouting the law. The disadvantage is that you are not sure when you are or are not complying with the law.
In contrast, the advantage and disadvantage of an ISO standard is that it is more current and can be seen as an indicator of "the state of the art. The advantage is that you can respond quickly to changes in technology, legislation and business risks. The disadvantage is that you have to set it up permanently, it costs time and money to maintain and implementation can be drastic for day-to-day operations. Of course, conforming to the standard also means that you lose some freedom, but get security in return.
While information security has long been an integral part of modern business operations, the protection of privacy is only just around the corner since the introduction of the AVG. The demand for concrete tools to demonstrably protect privacy is growing rapidly.
Indeed, the legislation remains quite abstract. For example, in the context of information security, Article 32 of the AVG talks about taking "appropriate" measures. But, how do you know whether the measures you have taken are 'appropriate'? The AVG describes this as follows:
The "state of the art" and "implementation costs" must be taken into account when taking technical and organizational security measures, and;
The nature, scope, context, purposes and risks of personal data processing determine the level of security measures.
So this is not very clear. In any case, this establishes that, as an organization, you must decide for yourself what you will or will not implement. But how do you know if you are taking the right measures? You do that by identifying information security risks and then mitigating them to an acceptable level.
For information security, globally accepted standards, such as the ISO 27001 standard, have been used as a risk-based approach for many years. ISO 27001 helps manage information risks in a process-oriented and cyclical way through the implementation of an "Information Security Management System" (ISMS). This looks at the likelihood of a threat occurring and its impact on business operations. At the heart of an ISMS is a Plan-Do-Check-Act (PDCA) cycle, which involves continuous improvement. ISO 27001 ensures that an organization is demonstrably in control of information security risks through the implementation of a set of measures, processes and procedures that increase the availability, integrity and confidentiality of information. Any organization that has implemented ISO 27001 can also become certified to demonstrate that they are serious about information security. ISO 27001 prescribes policies, measures, processes and procedures that include managing security incidents, access security, physical security, vendor relationships, business continuity and the internal organization regarding information security.
The ISMS and the PDCA cycle
The ISMS consists of both technical (IT) and organizational components (such as employee behavior, policy, the internal organization and procedures and guidelines). Thanks to the ISMS, an organization gets a grip on information security. A number of activities, such as periodic internal audits and risk analyses, are mandatory. By properly setting up an ISMS and performing the mandatory activities, an organization can demonstrate that sufficient attention is paid to information security.
The ISMS is based on the so-called PDCA cycle (Plan, Do, Check, Act). You successively determine what is business-critical and which risks must be controlled (Plan), what you must then do to improve this (Do), whether a risk is actually present (Check) and how you finally improve the process (Act). Continuous anticipation and improvement is the starting point to properly act on ever-changing threats.
While these kinds of practical frameworks for information security have been the norm for years, there is anxiously little in this area for privacy and the AVG. However, how ideal would it be if you could also guarantee that you are processing personal data in a privacy-friendly manner? Fortunately, there is now ISO 27701,(1) a standard designed to make the connections between the AVG and ISO worlds.
ISO 27701 also has a Plan-Do-Check-Act cycle, which integrates privacy into the ISMS. In this way, the legal concept of "appropriate," as in Article 32 of the AVG, is partially fulfilled. Indeed, working through a PDCA cycle forces an organization to make continuous improvements - and thus to be more in line with - what the AVG calls "the state of the art. And of course, specific topics such as the obligations for the data controller, the processor and the data protection officer (FG) have also been addressed.
We will discuss how ISO 27701 works in practice in a later edition of this series of fact sheets.
The AVG requires in certain circumstances that intended data processing operations must take a risk-based look at the risks of the processing to data subjects. This risk analysis is also known as a Data Protection Impact Assessment (DPIA). Article 35 of the AVG describes that a data protection impact assessment must be carried out prior to processing. It is form-free how a DPIA is conducted, but the law requires at least the following requirements:
First, all relevant information about data processing should be recorded in a concise manner. This includes how personal data are processed, who is internally responsible for the processing activity and what the underlying purposes are.
It is then necessary to consider whether the proposed activity complies with the AVG. This is done by looking at the necessity and proportionality of the processing in relation to the purposes of processing, for example, by assessing whether no more personal data are processed than strictly necessary.
This legal test provides the basis for then assessing the privacy risks to data subjects. Indeed, a data subject may be at high risk of identity fraud or discrimination.
Ultimately, the total risks found will have to be mitigated to an acceptable level of risk. You do this by taking technical and organizational security measures where the risks are greatest. It is then useful to see to what extent one control measure can cover multiple risks.
It has been mandatory since the previous privacy law, the Personal Data Protection Act (Wbp), to report data breaches to the Autoriteit Persoonsgegevens, and in some cases even to the data subjects themselves. This is again guided by the privacy risks for the data subjects. Articles 33 and 34 of the AVG describe that a data breach must be reported even within 72 hours of discovery.
Not every information security incident is a data breach. The availability, integrity or confidentiality of a system or application can be compromised without any privacy risk to data subjects. A classic example is a stolen laptop that is encrypted or has already been remotely erased. There is then no need to file a report. But, the reverse can also be true. An information security incident that seems fairly innocuous may actually be a data breach. One example is an e-mail containing sensitive information sent to one wrong person. In that case, too, it is mandatory to file a report.
A wide range of technical and organizational measures can be devised to reduce the risk of data breaches. On the organizational level, think of creating work instructions, initiating awareness campaigns and determining roles and responsibilities regarding privacy protection. And on a technical level, think about measures such as enforcing passwords and automatic locking, setting up logical access management or facilitating a VPN connection.
However, again, the right measures must be selected based on the results of a risk analysis. The basic assumption here is that you maximize control of the various risks with real means.
(1) https://www.privacy-web.nl/artikelen/iso-27701-en-privacy-informatiemanagement
See also: Data privacy: an evolving field of study
More articles from BDO
