Preliminary remarks

With the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679 ('GDPR') back in 2018, controllers and processors alike found themselves in a new paradigm in which each of them could define their own set of rules (within certain standards) to create, maintain, and update their data protection programs. Security of processing is no exception to this new standard and that is why Article 32 of the GDPR specifically leaves leverage to controllers and processors to implement 'appropriate technical and organisational measures to ensure a level of security appropriate to the risk' that adapt to each specific scenario. Said provision solely sets down general rules such as that the relevant measures should include: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) that controllers and processors should implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

While it is undoubtful that this new standard allowed for companies to have a greater liberty in the establishment of their security measures, it is equally true that it creates a greater risk in the sense that it provides less guidance than other solutions adopted in the past in the internal legal regimes of EU countries².

A closer look at the Guidelines

Simply put, the Guidelines are divided into two different sections, as follows:

• The first section focuses on the detection, management, and notification of data breaches and fundamentally summarises the rules set out by the GDPR and reminds controllers and processors of the importance of having procedures in place to be able to comply with the rules of the GDPR and, most notably, the rules of Article 33 and 34 thereof.
• The second section which we will detail below provides for a set of measures that can be followed by controllers and processors in relation to their security practices regarding personal data processing. The Guidelines divide the measures into organisational and technical ones, with the latter subject to subsequent sub-divisions.

Considering the novelty of such measures in the Portuguese data protection regulatory framework and for the purposes of this article, we decided the closely follow the list set down the CNPD, as each measure should be individually considered to ensure that controllers and processors have an adequate picture of what they expect when operating in the Portuguese market.

What to expect in relation to…

Organisational measures

In relation to this topic, controllers and processors should consider the definition of an incident response and disaster recovery plan that provides for the necessary mechanisms to ensure information security and resiliency of systems and services, as well as create systems that allow for data availability to be restored in a timely manner after an incident. Furthermore, information should be classified according to the level of confidentiality and sensitivity and any corresponding security policies should be duly documented.

Further, controllers and processors should adopt analysis procedures for monitoring of traffic flows on the relevant networks, as well as alarm systems to identify situations of access and/or misuse.

In addition, controllers and processors should foster a culture of privacy and information security among employees, so that each employee is able to recognise potential threats and act accordingly. Said culture should also focus on trying to reduce the occurrence and impact of human error and make employees aware of their duty of confidentiality that are bound too. This is an especially interesting measure to the extent that a fundamental part of an effective security program is that all parties involved in the same (notably, any employee and/or other parties that might have access to the systems) are properly trained.

Other measures highlighted by the CNPD include: (i) the definition of secure password management policies and the creation of user lifecycle management policy to ensure that each employee (or contractor) has access to only the data needed to perform their job; (ii) the definition, at an early stage, of the best information security practices to be adopted, either in the software development of software development, and in the acceptance test phase; and (iii) the conduction of systematic IT security audits and vulnerability assessments (i.e. penetration testing).

Finally, the CNPD emphasises the importance of periodically evaluating internal technical and organisational security measures and updating and revising them whenever necessary.

Technical measures

Considering the multitude of subcategories in which said type of measures can be included, the CNPD subdivided the technical measures into seven categories, which can be highlighted as follows:

Authentication

Regarding this topic, controllers and processors should implement systems with strong and complex passwords, following a certain minimum criterion, and consider the application of multi-factor authentication for systems that could contained sensitive information.

Infrastructure and systems

In relation to infrastructure and systems, controllers and processors should ensure that all relevant software and hardware is kept up to date (notably, servers, terminal operating systems, applications, firewall and network equipment).

Further, attention must be given to the design and organisation of the systems and infrastructure to allow for segmentation or isolation of the same and the prevention of the spread of malware within the organisation and to external systems, as well as to the reinforcement of the security of workstations and servers, including, among other criteria, the blocking of access to sites that are likely to pose a security risk and of suspicious redirections through search engines.

Email tools

An appropriate usage of email and the corresponding accounts is crucial given that this is a fundamental work tool for many controllers and processors. With this idea in mind, controllers and processors should define clear internal policies and procedures on the specific sending of email messages containing personal data, introducing the necessary additional checks to make all necessary verifications (for example, ensuring the insertion of the recipients' email addresses in the 'Bcc' field and that files sent in attachments contain only the personal data intended to be communicated).

Moreover, controllers and processors should also consider the creation of distribution lists or contact groups, with the objective of preventing the disclosure of recipients' addresses in bulk emailing operations mass mailing operations, and the creation of rules with the purpose of postponing/delaying the delivery of emails containing personal data, keeping them in the 'Outbox' for a certain time allowing compliance checks after clicking the 'Send' button.

Additionally, and among other measures, the CNPD also highlights the need to encrypt any emails that contain personal data, and the carrying out of training actions for employees to create awareness in relation to the use of email tools.

​​​​​​​Protection against malware

In relation to measures related to protection against malware, controllers and processors should use secure encryption especially for access credentials, special data, data of a highly personal nature or financial data, as well as create up-to-date, secure, and tested backup systems. Also, controllers and processors should strengthen their system with anti-malware tools that include the ability to scan and detect any ransomware-type threats.

​​​​​​​Use of equipment in external environments

Considering that more often than not, work is conducted on a remote basis, this is a specifically interesting point to be considered by controllers and processors alike. More to the point, the CNPD highlight the importance of the use of VPN systems, associated with additional measures such as the blocking of accounts after multiple invalid login attempts, the enablement of multi-factor authentication for equipment users, and the use of data encryption to the relevant operating systems, among others.

Furthermore, it is essential that controllers and processors define clear and appropriate rules for the use of equipment in external environment to allow all parties to be informed and aligned on the 'dos' and 'don'ts' in each organisation.

​​​​​​​Storage of paper documents containing personal data

While we are evolving to an increasing digital world, it is equally true that some documentation, by its very nature, is bound to still exist in paper format. Accordingly, in said cases, controllers and processors should ensure that documentation containing personal data is stored in proper locations from an environment standpoint, implement access controls detailing matters such as the 'who', 'when', and 'what' was accessed and, whenever documentation is destroyed, that proper 'safe' destruction mechanisms are in place.

​​​​​​​Transportation of information that incorporates personal data

Regarding this topic, controllers and processors should adopt measures to prevent that, in the transportation of information containing personal data, these may be read, copied, altered, or deleted in an unauthorised way, and use secure encryption in transportation, in mass devices, or potentially permanent archive permanent archive (such as pen drives).

Closing remarks and next steps

With the Guidelines, the CNPD has taken an important step from a regulatory standpoint and has effectively placed itself in an interesting position in relation to other supervisory authorities in the EU.

In fact, the Guidelines have effectively clarified some key concepts and they provide useful and practical guidance to both controllers and processors on the specific organisational and security measures that can be taken to protect any personal data processed in the scope of their activities in the Portuguese jurisdiction. Considering this, it is important for controllers and processors to review and revise their own measures to evaluate that they are up to date with the Guidelines and, thus, decrease the risk of being subject to sanctioning procedures by the CNPD.

Pedro Marques Gaspar Manager
[email protected]
PwC, Madrid

1. See: https://www.cnpd.pt/umbraco/surface/cnpdDecision/download/122048 (only available in Portuguese)
2. By way of example, the Spanish legislator enacted a Royal Decree back in 2007 in which it set down in detail the specific list of measures that controllers and processors should respect considering the risk associated with the specific types of personal data processed by the same.