Compliance beyond good practice: What regulators see as ‘appropriate’ security measures
Abstract
This paper explores enforcement trends regarding cyber security under the General Data Protection Regulation (GDPR) and other European laws. Drawing on decisions by data protection authorities in the UK, Sweden, Spain, Belgium and Greece, the paper analyses how fines are not imposed for cyber security breaches alone but for the broader structural failures and lapses in compliance that they can reveal. This underlines the fact that cyber security is not a fixed state but a continuous process of risk assessment, mitigation and documentation. Leveraging case studies, the paper examines requirements from regulators, such as documented risk assessments, timely patching and software upgrades, regular employee training, incident response planning, effective user authentication and system logging. One notable lesson is the importance of organisations providing evidence of why certain security measures were either taken or omitted, especially when deviating from best practice. The paper stresses the importance of ensuring that written rules are not only well designed but effectively implemented and monitored, as well as the growing emphasis on proportionality in enforcement. It stresses the broader implications of GDPR enforcement decisions regarding cyber security, as the legislative standard used in the GDPR, ‘appropriate technical and organisational measures’, also appears in identical or similar form in other laws, such as the Digital Services Act or the NIS2 Directive. The paper encourages organisations to treat cyber security as an evolving process, to stay up to date and to document decisions, but also to defend well-founded choices even in the face of regulatory scrutiny. This article is also included in The Business & Management Collection which can be accessed at https://hstalks.com/business/.
The full article is available to subscribers to the journal.
Author's Biography
Peter Craddock is a lawyer with a software development background, offering a unique blend of legal and technical knowledge. He is sought after by a diverse clientele, ranging from start-ups to established multinational corporations, for guidance on global data strategies and European Union (EU) data litigation, including appearances before the EU Court of Justice. Based in Brussels, he helps international companies find legal solutions to technical problems and technical solutions to legal problems. Peter is a prominent voice, notably in the AdTech and digital advertising space and on ePrivacy evolutions. He helps drive innovation and optimise data utilisation across the EU and beyond. His strategic counsel and legal support span the critical domains of privacy and data protection, data governance, artificial intelligence (AI) governance, cyber security, e-commerce, digital transformation and software contracting. Peter’s dual background as a lawyer and software developer uniquely equips him with the ability to analyse the possibilities offered by data protection laws and emerging technologies through a multifaceted lens. His commitment to client success is evident in his hands-on approach to developing compliant initiatives and smart compliance tools. Notably, his data breach risk assessment tool received a ‘Highly Commended’ accolade at the Financial Times Innovative Lawyers Awards 2019, and his General Data Protection Regulation (GDPR) fine calculation tool, DeFine, serves to clarify data protection financial risks for organisations worldwide.
