France: CNIL's Guide to "Security of Personal Data" under GDPR

On 4 April 2018, the French Data Protection Authority CNIL published a new guide to "Security of Personal Data" under the GDPR. This new guide presents the basic precautions to be implemented systematically.

GDPR Obligation

The GDPR provides in Article 32 that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". For those less familiar with risk management methodologies it is difficult to implement this approach and to ensure that the minimum has been done.

CNIL's Guide

To help professionals establishing GDPR-compliance, the CNIL's guide contains the basic precautions to be implemented systematically. The CNIL's guide can be used within a risk management system, usually consisting of the following four steps:

1. Listing the processing of personal data, the data processed (e.g.: customer files, contracts) and the media on which they rely.
2. Assessing the risks caused by each processing by:
• identifying the potential effects on the rights and freedoms of individuals concerned, the sources of risks (who or what could be the cause of each feared event?) and the possible threats (what could allow each feared event to occur?);
• Determining the existing or planned measures which allow for each risk to be dealt with (e.g.: controlling access, backups, traceability, security of the premises, encryption and anonymisation).
• Evaluating the severity and likelihood of the risks, with regard to the previous elements (for example regarding a scale: negligible, moderate, significant, maximal).
3. Implementing and checking the planned measures.
4. Carrying out periodical security audits.

CNIL's guide to "Security of Personal Data", 4 April 2018

CNIL, "A new guide regarding security of personal data", 4 April 2018