Costs and security

By | Monday January 9th, 2017

The GDPR allows the controller to take into account also the cost of the security measures required to comply: article 32 says “Taking into account the state of the art, the costs of implementation…”. Compared to the current legislation this fact is strongly innovative, at least in Italy.

“Taking into account the costs” is a statement that must be placed totally inside the controller’s accountability principle and, therefore, it must be part of the overall, documented evaluation of personal data security requirements to comply: treatment-related risks must be identified, the probability for them to occur and related potential damages evaluated. Then possible solution must be analyzed, along with their costs, their  impacts on the organization and their limitations, that is the residual risk after the implementation of the solution.

Only at this point a comprehensive evaluation of the sustainability of the overall solution’s costs – not only the economic ones – related to the actual company’s context can be done.

It must be underlined that the cost of a security measure doesn’t relate only to the purchasing price of the technology or of the services which the measure is made of. It includes also the resources required to make the organization capable to use that technology and services properly.

To be effective, a technology can require that a certain organization and/or a collateral technology are in place or that some competencies or roles are established within the company. In absence of these elements adopting a tool or acquiring a service may result not effective or even counter-productive.

It is a complex evaluation and it is a Controller’s responsibility to make it. And this is absolutely appropriate: according to the GDPR it is up to the Controller and within his responsibility to decide if an investment is applicable to the actual company’s organization and compatible with the available resources and consequently to adopt a certain technological or organizational measure to address a specific risk.

This evaluation must remain within the accountability principle that implies the duty of being able to demonstrate why the decision was made. The cost cannot be an excuse for not implementing a security measure while it is one of the parameter used by the controller to decide his security strategy.

Of course, the monetary cost of a measure Is relevant: a security measure cannot make unsustainable the treatment it was supposed to protect.

If decision’s rationals are reasonable and properly documented, in case lawsuit or controlling Authority’s inspection the Controller won’t chargable for not adopting the security measure. In that case the rationals that are behind the decision will have to be contested: the evaluations on the organization and on the available resources that led to the decision.

It means that company’s balance sheet and organization will have to be considered.

Of course, particularly if the risk level is high and the identified solution is effective, just to say “no” can be considered inadequate: if that solution is needed but not applicable for cost or organizational reasons, alternative measures must be applied to reduce the risk, while a plan to make it applicable in future is put in place.

Share with...Tweet about this on TwitterShare on LinkedInShare on Google+Share on Facebook
Category: Impact, Risk and Measures Legal framework Roles and Liabilities Sanctions Tags: , ,

About Sergio Fumagalli

Vice President Zeropiu Spa, system integrator specialized in digital identity and data security with operations in Italy and in the Nordics. After serving as MP in the Italian Parliament, I started a professional collaboration with the Data Protection Italian Authority and a professional activity on these topics. Co-author of “Privacy guida agli adempimenti”, IPSOA, 2004, 2005 a book on compliance to the Italian Law. Since 2008 member of the Oracle Community for Security - http://c4s.clusit.it/views/Homepage.html - and since 2014 member of the board of Clusit a leader association on IT Security in Italy Between 2004 and 2012 member of the board of Webank Spa, the online banc of the Banca Popolare di Milano group.

Leave a Reply