What security measures must a company implement to comply with the General Data Protection Regulation?

This question seems to be a constant in those organizations that are considering adapting their systems to the data protection regulations, and until today it has been a widely controversial issue. Fortunately, the recent Supreme Court ruling 188/2022 has shed much needed light on a key aspect of data protection and information security compliance.

What obligations does the General Data Protection Regulation impose in terms of security measures?

Data security constitutes an essential pillar of the regulatory framework for our privacy. It is no coincidence that the GDPR includes among its postulates the principle of “confidentiality and integrity”, whereby data shall be “processed in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organizational measures”. But how to ensure that security? Well, the GDPR itself provides an answer:

“Controllers and processors shall determine and adopt measures appropriate to the existing risk, “Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons.”

The problem with these provisions is obvious; at no time is the specific content of these measures specified. Instead, it is up to the data subjects themselves to carry out the relevant risk analysis and, consequently, to implement the necessary measures to safeguard the personal data in their possession. The adoption of effective measures is a legal duty of data controllers and data processors, and failure to comply with them may lead to financial penalties of up to 20 million euros.

What obligations does the General Data Protection Regulation impose in terms of security measures?

In 2018, the Spanish Data Protection Agency imposed a fine of €40,000 on a telecommunications company as a result of a personal data breach, understanding that the security obligations imposed by the data protection regulation were not complied with.

In the Agency’s opinion, the security measures adopted by the company would not be sufficient to consider its duties fulfilled since they did not prevent the breach in question from materializing. This is what is known as an “obligation of result”.

After the National Audience upheld the Agency’s decision, the sanctioned company filed an appeal in cassation to the Administrative Chamber of the Supreme Court. The company argued that it made no sense to conceive the safety obligation as one of result, since there will always be a risk, however small, of an incident taking place. In the company’s own words, “Configuring it as an obligation of result invalidates de facto any technological and organizational effort and investment that could be implemented in terms of data security”. Instead, it was asked to consider the obligation at stake as one of “means”, where the determining factor was the proactive and diligent attitude of the obligor.

In the judgment we refer to here, the Supreme Court assumes this thesis and confirms, without any doubt, that the security obligation is an obligation of means. Thus, it would be sufficient to implement measures proportional to the existing risks, without the organization being liable for any incident, regardless of the effort that may have been made to prevent similar events. However, the Court upheld the fine imposed on the grounds that, although the organization had planned a series of protection measures, it did not include technologies existing at the time which, if implemented, would have prevented the breach that occurred. Likewise, the High Court emphasizes that:

“”It is not enough to design the necessary technical and organizational means, it is also necessary their correct implementation and their use in an appropriate manner, so that it will also be liable for the lack of diligence in their use, understood as a reasonable diligence taking into account the circumstances of the case”.

In short, although absolute and perfect infallibility is not required in information security systems – as it is impossible -, the organization must ensure that adequate measures are employed and that they correspond to the latest technological advances. In addition, it will be essential to ensure that the agreed measures are properly implemented at all levels and by all relevant personnel.

How can a company meet its obligations?