By Aimee Bush – Senior Data Privacy Consultant
The Irish Data Protection Commissioner (DPC) has fined Facebook’s parent Company, Meta, €17 million for a number of Data Protection Breaches that occurred in 2018.
Meta reported 12 breaches to the Irish DPC, who is their Lead Supervisory Authority in Europe, between June and December 2018. The DPC opened a ‘security’ related inquiry with Facebook as a result of the number of similar breaches over the 6 month time period.
The breaches were found to be as a result of a “lack of Technical and Organisational measures” . Meta were therefore, unable to demonstrate that sufficient controls were implemented to protect individual’s data.
Due to the ‘One Stop Shop’* Regime under the General Data Protection Regulation (GDPR) in Europe, the DPC have gained agreement from all Supervisory Authorities for this action and the subsequent fine. It certainly helps the Data Protection Officers (DPOs) amongst us to understand what the EU’s enforcement focuses are!
Whilst we don’t know what the 12 breaches entailed or how many individuals were impacted, we can ascertain that the Irish DPC, and their counterparts across the EU, are taking security breaches seriously and will willingly fine those organisations who fail data subjects.
What are ‘Technical and Organisational Measures’?
Technical and Organisational measures are the controls required to comply with the GDPR’s Security Principle under Article 32. It not only covers what you, as a Controller must be compliant against, but also how it applies to Processors.
Technical measures that organisations should consider include:
- Encryption for IT Assets (particularly laptops and mobile devices);
- User Access Controls to ensure people only have access to what they need to do their job;
- Anonymisation and Pseudonymisation techniques for personal data that is not required in its identifiable format;
- Firewalls to prevent unwanted intrusions;
- Security Updates and Patching to ensure that your assets and software don’t fall foul of known vulnerabilities;
- Back-ups to ensure that if a breach did occur, you could quickly get back up and running
Organisational measures are things like policies, processes and procedures. These may include:
- Designating an individual responsible for day-to-day security across your organisation;
- Ensure that individual has the resources and authority to carry out their role;
- A culture of security (this one should not be overlooked). Ultimately, everyone is responsible for the security in your organisation;
- A set of policies which outlines what personal data you process, how it can be used and how your organisation complies with the security principle i.e. Information Security Policy, Business Continuity Plan, Equipment Disposal Policy, Bring Your Own Device Policy (BYOD) etc;
- You may also want to consider implementing controls against a internationally recognised standard such as ISO27001 (Information Security Management Solution or ISMS) which helps you demonstrate compliance against a set of ‘best practice’ standards:
Factors to consider when you’re implementing your security measures:
- No organisation is the same and security is not a one size fits all. What’s appropriate for a multi-national organisation will not work for a start-up.
- When thinking about what is appropriate for your organisation, you should think about:
- What data you’re processing and for what purposes;
- The number of staff you have and what they have access to; and
- The processors you’re using and what data they process on your behalf.
- Don’t forget about physical security. Technical measures on assets are brilliant, but if bad actors can get into your premises, that doesn’t help your cause.
- You don’t always have to have the most expensive or state of the art security measures. Consider a breach of health records vs an email address; the security measures must be appropriate to what data you’re securing and the impact on individuals if a breach were to occur.
*The One Stop Shop mechanism is a concept introduced by the GDPR. It allows organisations with an EU presence to select a ‘lead’ authority. Therefore, in the event of a breach, the organisation would report to their Lead Authority, who would then engage with any other impacted member states to determine action being taken against the organisation which may include monetary fines.