Breach of security requirements under Article 32 of GDPR

Abstract

According to a recent survey, organizations revealed that the biggest challenge they face related to compliance with GDPR provisions is to align their security measures to the requirements established by Article 32 of the GDPR. This difficulty may derive from some particular aspects of security measures, such as their very broad implementation scope, the great diversity of existing measures to be implemented, and the need to engage several professionals with different backgrounds for their implementation. Among legal difficulties, it is argued that Article 32 of the GDPR does not identify specific measures to be implemented, or those which could be deemed appropriate, but only provides a list of recommended measures. In addition, the requirement of appropriateness of the security measures depends on a number of subjective factors, which therefore leaves broad discretion to European supervisory authorities to rule on which measures may be deemed appropriate and which may not. In order to provide precise guidance to organizations, the article conducts an analysis of the decisions of selected European supervisory authorities related to IT security to identify which measures were deemed appropriate and which inappropriate. The decisions were grouped based on the types of security measures analyzed by the authorities: accountability, access management, use of obsolete applications and protection of data. The analysis shows that European supervisory authorities adopt a uniform approach towards the definition of appropriateness of security measures. However, given the importance of cybersecurity in the near future and the importance of protection of personal data, such uniformity shall be preserved to ensure legal certainty and a uniform application of GDPR security requirements across Europe.