The GDPR and the CCPA have made headlines for their wide scope and impact on privacy practices. On the issue of data security, they take somewhat different approaches, but the bottom line for companies is quite similar: data security measures tailored to the company’s risk profile and actual practices are essential for both legal compliance and the protection of the company and its customers.
The GDPR makes data security a general obligation for all companies processing personal data from the European Union (EU) by requiring controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” (Article 32). As stated in the GDPR, such measures include: pseudonymization and encryption; ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services; ability to timely restore availability and access to personal data in the event of a physical or technical incident; and processes for regularly testing, assessing, and evaluating the technical and organizational measures to ensure the security of processing. Comprehensive internal policies and procedures are thus crucial for all companies controlling or processing EU personal data. Recent enforcement brings home this point, as the Portuguese supervisory authority (CNPD) fined a hospital for using software that provided inadequate patient protections, even though the hospital asserted that it used the software provided by the Portuguese Health Ministry.