GDPR and cybersecurity: data protection

Introduction to the GDPR

The GDPR is the acronym for General Data Protection Regulation. This is a European Union law adopted to harmonize personal data protection laws across the EU and to strengthen citizens’ rights regarding the management of their data.

The GDPR was approved by the European Parliament on 27 April 2016 and officially entered into force on 24 May 2016, but its implementation took place two years later, therefore starting from 25 May 2018. 

From that moment on, all organisations, regardless of their location, that process personal data of European Union citizens are obliged to comply with this legislation.

In general, the GDPR requires that companies must collect and process personal data in a lawful, transparent and limited way to the stated  processing purposes .

Individuals have the right to know what data is collected about them, to access that data, to request rectification or deletion, and to object to certain methods of processing. Furthermore, the regulation requires companies to implement adequate technical and organizational measures to ensure the security of personal data, preventing unauthorized access and other threats that could compromise the privacy of individuals.

GDPR and IT security: an essential combination

The European Data Protection Regulation , known as GDPR, was introduced to ensure that the rights and freedoms of natural persons are adequately protected in the context of the processing of personal data . 

This has posed new challenges for businesses, especially in relation to cybersecurity . Although some believe that “ cyber security is excluded from the GDPR ,” in reality, the GDPR requires every organization to put in place appropriate technical and organizational measures to protect data.

The basics of the GDPR and cybersecurity

The General Data Protection Regulation (GDPR) not only establishes how personal data should be processed but also imposes specific security measures to protect it. These measures are essential to ensure that data processing takes place in a secure environment, considering the state of the art in cybersecurity and the level of risk associated with potential threats.

Although the GDPR does not provide technical details on how to implement security measures, it requires companies to ensure an adequate level of protection to prevent unauthorized access, data breaches, and other security incidents.

Key Cybersecurity Measures Required by GDPR

To comply with GDPR, companies must adopt security measures such as:

1. Data Encryption
   GDPR encourages the use of encryption to protect sensitive information.
   • Example: A hospital handling medical records may implement end-to-end encryption to secure test results sent to patients via email.
   • Example: A bank uses AES 256-bit encryption to protect customers’ online transaction data.
2. Access Control
   Restricting data access to only authorized personnel reduces the risk of breaches.
   • Example: An e-commerce company implements multi-factor authentication (MFA) to ensure that only authorized employees can access customer data.
   • Example: A university deploys a role-based access control (RBAC) system to limit access to student records to only professors and administrators.
3. Threat Monitoring and Detection
   GDPR requires measures to detect and respond to data breaches quickly.
   • Example: A pharmaceutical company uses Security Information and Event Management (SIEM) to monitor real-time suspicious access to corporate servers.
   • Example: A social media platform employs Intrusion Detection and Prevention Systems (IDS/IPS) to identify and block unusual activities in user databases.
4. Data Pseudonymization
   Pseudonymization is a technique that separates personal data from identifiable details.
   • Example: A medical research company assigns anonymous codes to store clinical trial data without directly linking it to patients’ identities.
   • Example: An insurance company converts sensitive data into unique identifiers, so that personal information is not directly traceable to an individual.
5. Incident Response Plans
   Having a plan to respond to breaches is crucial to minimizing damage and complying with GDPR’s notification requirements.
   • Example: A fintech company has a data breach notification protocol that allows it to inform authorities within 72 hours, as mandated by GDPR.
   • Example: A global retail corporation conducts cyberattack simulations (red teaming) to test how well its security team can handle potential breaches.

The principle of accountability

One of the key concepts of the General Data Protection Regulation (GDPR) is the principle of accountability. This principle requires companies not only to comply with data protection regulations but also to demonstrate actively that the technical and organizational measures they have implemented are appropriate and effective.

It’s not just about following the rules; organizations must be able to prove that they have put in place proportionate measures based on the nature of data processing and associated risks. This involves continuous risk assessment, adopting solutions that align with the state of the art in cybersecurity and data protection.

How Does Accountability Work in Practice?

Companies can demonstrate compliance with the accountability principle through various actions:

1. Maintaining and Updating the Record of Processing Activities (RoPA)

GDPR requires companies to document their data processing activities in a record of processing activities.

• Example: A digital marketing company keeps an updated record of its advertising campaigns, specifying what personal data is collected (emails, purchase preferences), who has access to it, and how long it is retained.
• Example: A hospital maintains a detailed record documenting the purpose of processing medical data, the security measures in place, and which personnel categories can access it.

2. Implementing Data Protection Policies

Organizations must establish clear policies on data management and ensure that all employees are aware of them.

• Example: A bank has an internal data protection policy outlining strict rules on how employees can access customers’ financial data and the procedures to follow in case of a security breach.
• Example: An e-commerce company implements a user data processing policy, ensuring that credit card data is encrypted and that customers can easily request data deletion.

3. Conducting Data Protection Impact Assessments (DPIA)

DPIAs are mandatory when data processing is likely to result in a high risk to individuals’ rights and freedoms.

• Example: A video surveillance company installing facial recognition cameras conducts a DPIA to evaluate privacy risks and define appropriate mitigation measures.
• Example: A social media platform launching a new AI-based profiling system carries out a DPIA to assess its impact on user rights.

4. Appointing a Data Protection Officer (DPO)

Organizations must designate a Data Protection Officer (DPO) if they process large-scale or sensitive personal data.

• Example: A healthcare provider handling sensitive patient information appoints a DPO to monitor GDPR compliance and advise on security measures.
• Example: A software company developing biometric data processing solutions hires a DPO to oversee its data protection practices.

5. Training Employees on Data Protection

Accountability also requires educating employees about security and data protection best practices.

• Example: An IT company organizes annual training sessions for its staff on phishing, secure password management, and corporate data protection.
• Example: A financial institution introduces periodic security tests to ensure employees can recognize phishing emails and follow proper security protocols.

6. Prompt Notification of Data Breaches

GDPR mandates that data breaches must be reported to authorities within 72 hours, and in some cases, affected individuals must also be informed.

Example: A mobile banking app detects unauthorized access to customer accounts and sends immediate notifications to users, advising them to change their login credentials.

Example: A telecommunications company, after experiencing a cyberattack that compromised thousands of customer records, notifies the Data Protection Authority within the required timeframe and directly contacts affected users.

Adequate technical and organizational measures

What Does “Adequate Security Measures” Mean in GDPR?

Under the General Data Protection Regulation (GDPR), the concept of adequate security measures refers to implementing safeguards that are proportionate to the risks associated with processing personal data.

Article 32 of the GDPR states that companies must adopt security measures considering:

• The state of the art in cybersecurity.
• The cost of implementation of security measures.
• The nature, scope, context, and purpose of data processing.
• The risks posed to individuals’ rights and freedoms in the event of a data breach.

This means there is no one-size-fits-all solution—security measures should be scalable and tailored to the type of data being processed and the associated threats.

Risk Assessment: The First Step to Adequate Security

Before implementing security measures, a company must conduct a risk assessment to identify threats and vulnerabilities in its IT systems. This evaluation typically includes:

• Identifying the types of data processed (e.g., sensitive data like medical or financial records).
• Analyzing potential threats (hackers, malware, unauthorized access).
• Assessing internal vulnerabilities (e.g., weak passwords, outdated software).
• Evaluating the potential impact of a breach (identity theft, reputational damage, fines).

Examples of GDPR-Compliant Security Measures

Depending on the company’s size and the type of data handled, security measures can vary. Here’s an overview of key solutions:

1. Data Encryption: Protecting Sensitive Information

Encryption ensures that data remains unreadable without a decryption key.

• Small business: A law firm encrypts client documents using full-disk encryption on company laptops.
• Large corporation: A bank applies AES 256-bit encryption to secure online transactions and customer credentials.

2. Access Control: Restricting Who Can View Data

Limiting data access to authorized personnel reduces the risk of data leaks.

• Small business: An e-commerce company uses multi-factor authentication (MFA) to ensure only authorized employees can access customer data.
• Large corporation: A hospital implements a role-based access control (RBAC) system, allowing doctors to access medical records but limiting administrative staff to billing information.

3. Threat Monitoring and Detection

Implementing monitoring systems helps detect suspicious activity or unauthorized access attempts.

• Small business: A consulting firm uses a next-generation firewall and intrusion detection system (IDS) to protect business data.
• Large corporation: A multinational company deploys a Security Information and Event Management (SIEM) system to collect and analyze system logs for potential anomalies.

4. Backup and Disaster Recovery: Ensuring Data Availability

Having data backups ensures that information can be restored in case of cyberattacks or system failures.

• Small business: A dental clinic performs automated cloud backups every 24 hours to protect patient records.
• Large corporation: An airline uses a disaster recovery strategy with real-time data replication across multiple global servers.

5. Pseudonymization: Separating Personal Data from Identifiers

Pseudonymization reduces privacy risks by replacing identifying data with artificial identifiers.

• Small business: An online survey platform assigns anonymous ID numbers instead of user names to reduce the risk in case of a breach.
• Large corporation: A medical research institute stores genetic data using unique identifiers, ensuring that it cannot be directly linked to an individual.

6. Incident Response Plans: Being Prepared for Data Breaches

GDPR requires companies to report data breaches to authorities within 72 hours.

Large corporation: A telecommunications company has a Cybersecurity Incident Response Team (CSIRT)that immediately reacts to cyberattacks, mitigates damage, and notifies affected users.

Small business: An online retailer suffers a cyberattack and follows its data breach notification protocol, informing both customers and the Data Protection Authority.

The processing implements security measures

Organizations are required to ensure that any processing of personal data implements appropriate security measures. 

This means that security is not something that can only be considered at the beginning of a project or during the design of a system, but must be integrated into every phase of the data lifecycle. The European regulation emphasizes that companies must consider the context and purposes of the processing and take into account the state of the art when deciding which measures to take.

Measures may include adopting security policies, training staff, implementing advanced technological solutions and creating processes to manage data breaches. This proactive approach is essential to maintaining GDPR compliance and protecting data effectively.

The link between GDPR and cybersecurity

In summary, the GDPR and cybersecurity are closely linked. While cybersecurity is not the sole focus of the GDPR, it is clear that the regulation requires organizations to take appropriate technical and organizational measures to protect personal data. 

This requires a continuous commitment by companies to assess risks, adopt best practices and ensure an adequate level of security to prevent unauthorized access and other threats. In an increasingly digital world, data protection is not just a matter of regulatory compliance, but is also fundamental to safeguarding the rights and freedoms of natural persons. 

Frequently asked questions

What is GDPR and how does it affect cybersecurity?
The GDPR is a European regulation that establishes rules for the protection of personal data. It requires the adoption of IT security measures to protect such data.

Is cybersecurity excluded from the GDPR?
No, cybersecurity is not excluded from the GDPR. Indeed, the GDPR requires the adoption of adequate technical and organizational measures to guarantee data security.

What are appropriate technical and organizational measures?
They are practices and tools adopted by companies to ensure that personal data is processed securely, taking into account the state of the art and risks.

Does GDPR require data encryption?
The GDPR does not explicitly require encryption, but considers it a useful measure in many cases to protect personal data.

How do you demonstrate GDPR compliance?
Through the principle of accountability, which requires documenting and demonstrating the adoption of security measures appropriate to the context and purposes of data processing.

What is the role of data processing in the GDPR?
Data processing is any operation performed on personal data. The GDPR requires that all processing is safe and compliant with the rules of the regulation.

What does “adequate level of security” mean?
It means adopting security measures proportionate to the risk associated with data processing, also considering the context and purposes of the processing.

Does GDPR only apply to large companies?
No, the GDPR applies to all organisations, regardless of size, that process the personal data of EU citizens.

How are data breaches handled under the GDPR?
Violations must be reported to the competent authorities within 72 hours and, in some cases, to the interested parties. 

Does the GDPR require the use of advanced technologies?
The GDPR requires that the security measures adopted are appropriate, taking into account the state of the art, but does not specify particular technologies.