The Principle of Integrity and Confidentiality
Article 5(1)(f) of the GDPR
Summary of the GDPR Principle
The Principle of Integrity and Confidentiality
The principle of integrity and confidentiality means that companies must ensure that their processing of personal data is secure and confidential. In addition, the company must assess the risks that the processing entails for the data subjects. In order to comply with the principle of integrity and confidentiality, the company shall take various technical and organisational security measures.
The Principle of Data Accuracy
The amount of protection that the company needs to take varies depending on the nature of the personal data. The more sensitive the personal data, the higher the security the company must implement. Article 5(1)(f) of the GDPR governs the principle of integrity and confidentiality. It is one of the seven data protection principles of the GDPR.
Kindly note that the company must also comply with the other basic data protection principles, such as the Data Protection Principle of Data Minimization.
The company must take measures to counteract personal data breaches and comply with the principle of integrity and confidentiality
A personal data breach is a form of security incident. The meaning of a personal data breach under the GDPR is when personal data is accidently or unlawfully altered, lost or accessed by an unauthorised person. According to the principle of integrity and confidentiality, the company must protect the personal data.
A common personal data breach is an email sent to the wrong recipient due to a human error. For example, this can occur when the sender misspells the recipient’s email address.
A company may in some cases be required to report personal data breaches to the national data protection authority. Where such reporting is required, the company shall make the notification within 72 hours from the detection of the breach. In addition, the company may also need to notify the affected data subjects of the personal data breach. Failure to report personal data breaches in a timely manner can result in fines due to breach of the GDPR.
Take technical and organizational security measures to fulfill the principle of integrity and confidentiality
Companies shall prevent personal data breaches by taking appropriate safeguards. This is a central key point of the principle of integrity and confidentiality under the GDPR. Safeguard measures can be divided into two categories: organisational and technical security measures. Below you can read some examples of such measures.
Examples of technical security measures
Use antivirus software
Viruses can lead to the loss of personal data. They may also allow hackers who planted the virus to access personal data. Therefore, companies should have antivirus software installed on the devices they use to process personal data.
Have backup files
For example, if a hard drive is destroyed and contains personal data, it is a personal data breach if the company does not have backup files. In addition, it can be time-consuming to recover the lost data. Therefore, it is good to have backup files, for example via a cloud service.
Enable Multi-Factor Authentication (MFA) at login
It is good to have Multi-Factor Authentication (MFA) at different logins. This can prevent any unauthorized person from accessing the information in the system, even if they have access to the password.
Use complex and unique passwords
A common mistake that some people make is having too simple passwords. Another common mistake is to reuse the same password for several different systems or user accounts. If you have the same password and someone accesses the password, the problem becomes bigger than if it were different passwords. In addition, there are hackers who use robots that test thousands of different passwords to see if something fits. Therefore, one should use difficult passwords as well as some code system to read the password. This and more useful knowledge in cybersecurity is something the company should inform and educate its employees about.
Encryption of personal data
If a company processes sensitive personal data and is to send the information via email, for example, it should be done with encryption. Sensitive personal data include those revealing ethnic origin, political opinions, religious or philosophical beliefs or data concerning health. Companies as employers often process data on employees’ health, such as sick leave. This type of information appears, inter alia, on the payslip. A company should therefore not send them to the employees by email.
Examples of organizational security measures
Draw up and conclude a written data processing agreement
Companies that are data controllers and engage another company that is a data processor shall enter into a data processing agreement with each other. Article 28 of the GDPR governs this requirement. In addition, the agreement must be in writing in order to be valid under the GDPR. When a company processes personal data on behalf of another company, it is a data processor. An example is if a company hires an accounting firm to manage the company’s bookkeeping. A processor may also engage another processor (referred to as a “sub-processor”), however, this may only be done with the consent of the controller.
Establishing internal procedures
Companies should have internal procedures in place to ensure that staff process personal data in accordance with the GDPR in practice. What internal procedures the company should have varies. For example, depending on, among other things, the size of the company, the industry in which the company operates and the nature of the personal data that the company processes. Examples of what the internal procedures may refer to are the following:
- Notification and handling of personal data incidents
- Deletion or anonymisation of personal data
- Management of data subjects’ exercise of their rights. For example, the data subjects right of access (Article 15 GDPR), right to rectification (Article 16 GDPR) and right to be forgotten (Article 17 GDPR).
Designate Data Protection Officer
Some companies are required to appoint a data protection officer under the legal requirements of the GDPR. The Data Protection Officer has an important role in the company, but does not necessarily have to be an employee. It may also be an outside third party who is a data protection officer for a company. Both data subjects and employees should be able to contact the Data Protection Officer in case of any questions. The same applies to the national data protection authority. Therefore, it is common to include the contact details of the data protection officer in the company’s privacy notice. Companies that are not required to appoint a data protection officer under the GDPR may choose to do so anyway as a voluntary measure.
Appoint Data Protection Ambassadors
If the company has many employees or several different offices, it may be a good idea to appoint data protection ambassadors. Employees with this role act as a mediator of information about GDPR to the company’s various units and employees. The purpose is primarily to ensure that important information about GDPR that management decides on, reaches out to employees. For example, communicating new GDPR routines to employees or information about detected personal data incidents to management, etc.
User permissions
It is important that the company ensures that users of the various systems that process personal data have the right permissions. For example, only a few people should have user accounts with administrator rights. Furthermore, the company should only grant a user access to data when it is necessary for the performance of work. This is one way to reduce the risk of personal data breaches. When an employee stops working for the company, it is also important to have procedures in place to ensure that they no longer have access to the company’s systems.
Starting point for safeguards in the processing of personal data and fulfillment of the principle of integrity and confidentiality
Legal basis and data protection principles
Companies must have a legal basis for each individual processing of personal data. There are a total of six legal bases. Among other things, contracts with data subjects (Article 5(1)(b) GDPR), legal obligation (Article 5(1)(c) GDPR) or consent (Article 5(1)(a) GDPR).
In addition, companies must comply with the seven basic data protection principles. Article 5 of the GDPR governs the principles. They permeate the entire GDPR and are important to know as a data controller or data processor.
Analyze the object of protection
When a company processes personal data, it entails risks for the data subject. First of all, the company should analyze the object of protection. This means that the company must assess what personal data they need to process and how sensitive they are. The company should do this before starting the processing.
Analysis of risks and measures
After the company has analysed the protected object, they need to analyse the risks involved in the processing. In addition, companies need to analyse what measures they should take to minimise risks. In some cases, companies also need to carry out impact assessments for certain types of processing operations. The more sensitive personal data companies process, the more safeguards they need to take. If the data subjects are particularly vulnerable because of, for example, age or state of health, the requirements are higher.
Document everything
According to the GDPR, companies must be able to demonstrate that they comply with the GDPR in practice. This requirement follows from the principle of accountability (Article 5(2) GDPR), which is one of seven data protection principles. Therefore, it is important that the company documents all actions, analyses, assessments, routines, obtaining consent, etc. It is the company that must be able to demonstrate that they comply with GDPR. It is not the data subjects who need to show that the company is in breach of GDPR.
Companies had to pay a fine because, among other things, they had not carried out a data protection impact assessment (DPIA)
Three companies were fined by the supervisory authority in Finland for their infringements of the GDPR. One of the companies had located its employees’ vehicles using a driving data system. As a result, it posed a high risk to the rights and freedoms of data subjects, requiring a data protection impact assessment. The company should conduct this assessment before processing the personal data. The consequence for the company was a fine of EUR 16 000.
Processing that is particularly risky under the GDPR
There are certain types of processing that are particularly risky under the GDPR. For example, when a company processes:
- Sick leave for employees.
- Compensation to employees.
- Information about the union affiliation of the employees.
- Information that is collected for the purpose of tracking the performance of employees.
- Checks on the identity of employees by means of facial recognition or other biometric data.
Other data protection principles
The Principle of Accountability under GDPR
Companies must be able to demonstrate that they comply with the GDPR in practice. This means that it is not the data subjects or the supervisory authority who need to show that the company is in breach of the GDPR. For example, companies must write the agreements and documents that are necessary under the GDPR, document their processing and comply with the rights of data subjects, etc. If a company violates the GDPR, it can have major financial consequences. In the worst case, companies may have to pay a penalty of a multi-million dollar amount. Article 5(2) of the GDPR governs the principle of accountability.