IT security in practice: infusing life into Article 32 of the GDPR

Stefan Hessel

Article 32 of the GDPR requires controllers to ensure an appropriate level of security by implementing technical and organizational measures consistent with the state of the art. If these measures prove inadequate and a data breach occurs, the controller may face damage claims from data subjects in addition to heavy fines. Ensuring an appropriate level of IT security is therefore of utmost importance for companies.

But the GDPR does not name any specific measures: it merely cites some abstract examples of ways to protect data, such as the use of encryption. As a result, technical standards such as the IT Baseline Protection (Grundschutz) Compendium  in conjunction with further recommendations from the Federal Office for Information Security (BSI) or ISO 27001 are used in practice to supplement Article 32 of the GDPR. While it is true in principle that the GDPR is European law and that Article 32 of the GDPR must be interpreted independently of outside sources, the law may be supplemented by general standards of IT security, as is the case for industry standards such as TISAX for the automotive industry and the Cybersecurity Requirements for Connected Medical Devices in the health care sector.

Data protection authorities have also begun to address this issue in greater detail recently. As examples, we can cite the "Guidance for Controllers on Data Security" from the Irish data protection authority and the "Notes on the Handling of Passwords" from the Data Protection Commission for the State of Baden-Württemberg, which was published at the start of 2019.  While the content of both of these documents largely reflects the requirements which are defined in existing technical standards, they provide a better overview and are more accessible. This feature should be especially attractive for companies without a dedicated IT security department. These documents also show that controllers can act in accordance with existing technical standards without running the risk of coming into conflict with the requirements of data protection law.

Accordingly, the challenge for controllers is less the availability of appropriate guidelines than the question of which level of security is required in each individual case. It should be kept in mind in this regard that IT security requirements are derived not only from the GDPR but from a whole catalogue of other statutes (e.g. the Tax Code in conjunction with the Generally Accepted Principles for Keeping and Preserving Accounts, Records and Documents in Electronic Form, as well as Data Access (GoBD)). As a result, IT security should not be understood as a purely technical question, but rather as one which requires specialized legal expertise.

[May 2020]