Data Security on the Ground: Investigating Technical and Legal Requirements under the GDPR

Abstract

The GDPR has been in force since 2018, but there is still uncertainty about how to comply with several of its provisions, including Article 32 which sets forth the requirements for data security. While scholars in this field have previously analysed the law or the industry standards, we use the fines imposed so far for violation of Article 32 as our primary data. We annotate and analyse technical and legal aspects of a representative subset of cases. Using clustering, four groups of cases with distinct characteristics emerge from our research. Three of the four groups of cases suffer from data incidents, but for different reasons: a targeted attack, non-technical human mistakes, or a combination of mistakes. The final group includes cases where no actual data incident happened, but fines were still imposed due to insufficient organisational measures and high risk or imminent harm to the data subjects. We uncover from the cases different measures that apply to each of the groups, ranging from compliance with the highest industry standards to organisational measures and enhanced internal privacy awareness.