The European Data Protection Supervisor (“EDPS”) Giovanni Buttarelli issued a guidance document on data security and risk management for the E.U. institutions (such as the European Parliament, the European Council, and the Council of the European Union) on March 21, 2016. Although aimed at E.U. institutions, the document may nonetheless become a source of guidance on risk-based information security practices for other data controllers in the E.U., given its authority and the similarity between the security provisions of a number of E.U. directives and regulations.
The guidance, called “Security Measures for Personal Data Processing,” is issued pursuant to Article 22 of Regulation 45/2001, which “contains the legal requirement for E.U. institutions to mitigate risks when processing personal data.” (The same regulation established the EDPS as an independent supervisory authority.) Article 22 requires, among other things, that data controllers, “having regard to the state of the art and the cost of their implementation . . . implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.” Similar language is used in Article 17 of the Data Protection Directive and Article 4 of the ePrivacy Directive, and is also used in soon-to-be-enforced laws such as the Network Information Security Directive. The guidance notes that it “should also be useful for bodies, organisations or companies that are subject to these other legal instruments.”
The guidance seeks to explain Article 22 and to provide “information on the main practical steps EU institutions and bodies should take in order to comply with it.” The EDPS’s approach is grounded in “accepted good practices in Information Security Risk Management,” and therefore does not prescribe a particular set of security measures. Indeed, the EDPS notes:
Security measures protecting personal data cannot be defined generically (it is not possible to define a set of security measures that can be applied in all cases) since they must come from the Information Security Risk Management process, which takes into account the specific context in which personal data is processed.
Further, because individuals responsible for information security are faced with uncertainties arising from the “ever changing landscape affecting their operations” while working within the constraints of budgets and deadlines, the EDPS acknowledges the need for a “specific framework that helps . . . to manage [these] uncertainties . . . and indicates how to best react to these uncertainties within the constraints of their work environment.”
In light of this background, the guidance describes an information security risk management (“ISRM”) process based on ISO 27005 with the following steps:
1. Context Establishment: Relevant facts are gathered, risk evaluation criteria are established, roles and responsibilities are assigned, and the scope and objectives of the process are defined
2. Risk Assessment
a. Risk Identification: Relevant risks to the organization are identified.
b. Risk Analysis: Identified risks are analyzed to determine the probability and consequences of each one.
c. Risk Evaluation: Risks are evaluated using the criteria established in the Context Establishment stage and prioritized accordingly.
3. Risk Treatment: The organization decides whether to reduce, avoid, or share each risk; residual risks are calculated.
4. Risk Acceptance: The organization either accepts each residual risk or engages in additional risk treatment to attain an acceptable level of residual risk.
5. Risk Communication and Consultation: Risk-related information is communicated to relevant stakeholders to obtain buy-in.
6. Risk Monitoring and Review: Risks are consistently monitored to ensure the organization’s management of each one is appropriately adjusted in response to changes in the risks. For instance, the guidance states: “Since threats, technologies, processes and other factors relevant for the risk assessment evolve constantly, it is necessary for EU institutions to regularly review their risk assessment and the selection of security measures.”
With regard to Article 22, the guidance provides fairly detailed advice on how to apply the ISRM framework in a manner that complies the Regulation’s security requirements. Of particular note, it states that “[i]n order to properly comply with the legal obligation under Article 22 of the Regulation . . . EU institutions must always apply state of the art risk assessment and risk management. Appropriate security measures can only be derived from this process of risk management.” It also specifically addresses budgetary constraints in relation to ISRM, stating that “comprehensive cost-benefit analysis should be used to assess the security measures to be chosen, where appropriate also considering different options to be implemented.”
Finally, the guidance advises the E.U. institutions on the implied requirements associated with the implementation of a “proper” ISRM program, as well as on the tasks associated with ISRM generally performed by particular functions within the organization, such as the Information Security Officer and Management.
Organizations subject to E.U. data protection laws may wish to carefully review the EDPS’s ISRM recommendations in light of the fact that the guidance may be used (for instance, by the Data Protection Authorities) to interpret the security provisions of other, more generally applicable directives and regulations.