Today my lecture in the “EU and Global Cybersecurity Fundamentals” course will present a cybersecurity reading of the GDPR. After having learned about computer security technology and its principles, and having familiarized themselves with the most relevant EU cybersecurity legal sources, the students are now ready to bridge the connection with personal data protection!
One of the aims of this course is to provide students with the necessary elements to be able to create and manage an integrated data protection and cybersecurity framework. Coherently, this afternoon we will focus on the GDPR from a cybersecurity angle, isolating the relevant provisions and highlighting the connection between cybersecurity and data protection, both in technical and legal terms.
I’ll commence this informative lecture, which bridges the security knowledge gained by students until this point with data protection law, with recital 1 GDPR. Recital 1 underlines the relevance of protecting information – “The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her”. We’ll then explore recital 2 GDPR which specifically makes reference to the importance of security embedded in the Regulation – “This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.” Moving on, recital 26 will provide us with further insights into the question of anonymisation vs. pseudonymisation and recital 39 will assist us in terms of understanding relevant principles (“…Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing”). The Legitimate interest for network and information security (recital 49), automated decision-making and profiling (recital 71), the catalogue of risks (recital 75), data the protection by design and by default (recommended also for processors – recital 78), the relevance of carrying out data protection and cybersecurity due diligence on processors before their engagement (recital 81), the data security domain of risk assessment (recital 83), DPIA as full fledged data protection/ security risk assessment (recital 84), data breaches andsecurity incidents (recital 85), communication of a data breach (recital 86), the fact that compliance with Art. 32 GDPRwill be checked in the event of a data breach (recitals 87 and 88), and the importance of data security measures also in the light of a consultation with the Supervisory Authority (recital 94) will be touched on.
We’ll then look at the letter of the law, commencing with article 4(12) GDPR on the definition of a personal data breach and get into the nitty gritty of the lecture by exploring arts. 5, 6, 21, 22, 23, 24, 25, 28, 30, 32, 33, 34, 35, 36, 39, 40, and 42 GDPR. The highly relevant impact of data security on data transfers (Chapter V GDPR) will be discussed, something which is also particularly important in the current post-“Schrems II” international data transfer landscape. Finally, possible sanctions, liabilities and responsibilities resulting from a lack of cybersecurity measures resulting in violations of the GDPR will be addressed (arts. 82 and 83 GDPR).