With State Gazette, Issue 43 of 25.05.2018 Ordinance No. 1 dated 30 January 2013 on the Minimum Level of Technical and Organizational Measures and the Admissible Type of Personal Data Protection (the Ordinance) was repealed. The Commission for Personal Data Protection (CPDP) has announced that the Ordinance is to be revised and transformed into methodical guidelines to the controllers without committing to a specific deadline (https://www.cpdp.bg/en/index.php?p=element&aid=1151).
Thus, among other uncertainties concerning the application of the General Data Protection Regulation (“GDPR”), yet another important question arises – what technical and organizational measures should be applied by the organizations from now on in order to ensure an appropriate level of security of the data they process.
Applicable measures under the repealed Ordinance
The repealed Ordinance provided for 5 types of personal data protection (physical, personnel, documentary protection, protection of automated information systems and/or networks and cryptographic protection) and contained detailed regulation of the technical and organizational measures for their implementation.
The CPDP’s previous approach was to oblige the controllers to carry out an impact assessment on each personal data register they keep. On the basis of the determined level of impact for the register the controllers had to apply corresponding level of data protection – a mandatory minimum set of measures settled for each level of impact in the Ordinance. Now the lack of compulsory list of such measures leaves plenty of room for speculation in this respect, so the analysis below is intended to bring some clarity on the issue.
Art. 32 of the GDPR lists some exemplary, but not mandatory measures such as pseudonymization, encryption, etc., which can offer the organizations guidance in terms of what measures are considered appropriate. Of course, the final choice depends on the context and the purposes of the processing. In this sense, although both controllers and processors are not required to apply any of the measures explicitly listed in the GDPR, their obligation to ensure the security of the data processed remains.
Applicable technical and organizational measures from now on
In the process of assessment every controller or processor should bear in mind the following:
First, the GDPR focuses on the protection of personal data as a fundamental human right of the EU citizens. Therefore, the understanding that the GDPR constitutes а “fully technological framework” is untrue. The requirement to implement technical and organizational measures to ensure data security undoubtedly has an important role, but it is just one of the seven basic principles of data protection laid down in the GDPR. In other words, even if we have applied extremely high security measures, even if all the information we handle is encrypted – if we process these data without legal or for illegal purposes or we have not properly informed individuals about such processing etc., our business will not meet the GDPR requirements whatsoever.
Second, GDPR sets out a number of criteria to guide the controller or the processor in defining these measures and choosing the most appropriate amongst all of them. Through this approach, the European legislator achieves a fairly good balance between the freedom of action and the crucial responsibility for attaining an adequate level of data protection.
Nonetheless, the main set of measures laid down in the repealed Ordinance could serve as a good guidance or as a point of reference in terms of data protection. Of course, the assessment should be tailored to the particularities of each and every type of processed personal data in compliance with the established standards and best practices for information security.
In the meantime, we will continue to monitor and keep you updated on the development of the case and the subsequent regulation on the appropriate personal data protection measures as well as the specific measures, undertaken on local level regarding the implementation of the GDPR.