Trends in Interpretation of EU Data Protection Authorities of Cybersecurity Requirements Under the GDPR
Author(s): GĂBUDEANU, Larisa
Author(s) keywords: article 32, data protection, enforcement, GDPR, security by design
Reference keywords: cybersecurity, GDPR, legal, requirements
Abstract:
One of the main legal requirements for the adopting the GDPR was the technical and organizational security requirements, alongside the transparency and purpose limitation principles. The wide wording mentioned by the GDPR in terms of state-of-the-art security measures has given rise to a series of interpretations both in literature and by the data controllers and data processors. The manner in which national data protection authorities interpret this wording on a case-by-case basis is a good indicator in terms of interpretation, as the authorities look into the specific use case requiring preventive security measures. Thus, this research paper brings additional clarity in the interpretation of this legal requirement in terms of the risks and damages considered relevant for the specific data breach or lack of proper legal requirement implementation, given publicly available information in this respect. Further, the research paper highlights the number of use cases analyzed by different national data protection authorities and the views of each national data protection authority.
References:
[1]. Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (General Data Protection Act).
[2]. Konstantinou and Marjanov, et al., “Data Security on the Ground: Investigating Technical and Legal Requirements under the GDPR,” 2021, womENcourage ’21, September 22–24, 2021.
[3]. Ruohonen, Jukka and Hjerppe, Kalle, “Predicting the Amount of GDPR Fines,” 2020, Arxiv, DOI: 10.48550/ARXIV.2003.05151.
[4]. Jukka Ruohonen, Kalle Hjerppe, “The GDPR enforcement fines at glance,” Information Systems, Volume 106, 2022, 101876, ISSN 0306-4379, DOI: https://doi.org/10.1016/j.is.2021.101876.
[5]. TeleTrust, “State of the art in IT security,” 2021.
[6]. ENISA, “Stock taking of security requirements set by different legal frameworks on OES and DSPs,” 2019.
[7]. ENISA, “Recommendations on shaping technology according to GDPR provisions - Exploring the notion of data protection by default,” 2019.
[8]. M. Shafique, F. Khalid and S. Rehman, “Intelligent Security Measures for Smart Cyber Physical Systems,” 2018 21st Euromicro Conference on Digital System Design (DSD), 2018, pp. 280-287, doi: 10.1109/DSD.2018.00058.
[9]. Rueda-Rueda, Johan Smith and Portocarrero, Jesus M. T., “Framework-based security measures for Internet of Thing: A literature review,” Open Computer Science, vol. 11, no. 1, 2021, pp. 346-354. https://doi.org/10.1515/comp-2020-0220.
[10]. Qadri, Y.A., Ali, R., Musaddiq, A. et al., “The limitations in the state-of-the-art counter-measures against the security threats in H-IoT,” Cluster Comput 23, 2047–2065 (2020). https://doi.org/10.1007/s10586-019-03036-7.
[11]. EDPB, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR,” 2022.
Article Title: Trends in Interpretation of EU Data Protection Authorities of Cybersecurity Requirements Under the GDPR
Author(s): GĂBUDEANU, Larisa
Date of Publication: 2022-06-28
Publication: International Journal of Information Security and Cybercrime
ISSN: 2285-9225 e-ISSN: 2286-0096
Digital Object Identifier: 10.19107/IJISC.2022.01.01
Issue: Volume 11, Issue 1, Year 2022
Section: Advances in Information Security Research
Page Range: 9-14 (6 pages)
Copyright ©2012-2024
The International Journal of Information Security and Cybercrime (IJISC)
All rights reserved
The International Journal of Information Security and Cybercrime is a trademark of the Romanian Association for Information Security Assurance (RAISA).
No part of this publication may be reproduced, stored in a retrieval system, photocopied, recorded or archived, without the written permission from RAISA. When authors submit their papers for publication, they agree that the copyright for their article be transferred to the Romanian Association for Information Security Assurance, if the articles are accepted for publication. The copyright covers the exclusive rights to reproduce and distribute the article, including reprints and translations.