Data Security

• Author: David Zetoony
• Profession: Is a partner in the Boulder, Colorado office of Bryan Cave Leighton Paisner, LLP, an international law firm
• Pages: 89-90

89

DAtA secU R It y

Q.91 Does tHe GDpR ReQUIRe tHAt A

coMpAny coMpLy WItH A specIfIc

secURIty stAnDARD?

No.

The GDPR requires only that a company “implement appropriate

technical and organisational measures to ensure a level of security appro-

priate to the risk, [to personal data].”202 The regulation does not set forth

or incorporate a specic security standard or framework or require that

companies utilize specic technology when securing information.203204

Q.92 Is tHe GDpR’s DAtA secURIty stAnDARD neW?

No.

It is a common misconception that the GDPR imposed a new data secu-

rity standard upon companies. In fact the data security language contained

within the GDPR is substantively similar to that which had been in place

for the preceding twenty years under the Privacy Directive. The following

provides a comparison of the security standards used in both documents:

PRIVACY DIRECTIVE

ARTICLE 17

GDPR

ARTICLE 32

Member States sha ll provide that the

controller must implem ent appropriate

technical and o rganizational measures

to protect pers onal data against acc iden-

tal or unlaw ful destruction o r accidental

loss, alterati on, unauthorized disc losure

or access, in particular where the

processing i nvolves the transmission

of data over a network, a nd against all

other unlaw ful forms of processin g.203

. . . the controller an d the processor

shall implement appropriate techni-

cal and organis ational measures to

ensure a level of secu rity appropri ate

to the risk.204

202. GDPR, Article 32(1).

203. Privacy Directive, Article 17(1).

204. GDPR, Article 32(1) (emphasis added)