2

I'm reading about the GDPR here and there. However, I see no requirements on how data actually is to be protected like

  • Mimimum password length requirements
  • Second factor authentication
  • Backup protection policies

and the like.

What about a data subject giving consent but ONLY if they guarantee a second factor will always be required, for example?

Can companies be sued for bad/not compliant protection (before a breach)?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Marcel
  • 3,494
  • 1
  • 18
  • 35
  • 6
    I don't believe so. You can sue them after a breach, if their security was insufficient. However, the GDPR does not mandate exact methods and procedures, as that would hamper development. There are many misconceptions, for example that forcing symbols and numbers in passwords increases security. The lawmakers would inevitably get it wrong and even if not, it would get obsolete quickly. – Peter Harmann Apr 26 '18 at 21:57
  • 3
    The things you listed are about account protections, not about PII protections. And you can only sue if there is harm. GDPR allows for non-material harm in the event of a breach, so you would have to show A) a breach, and B) harm. Just bad practice is not something you can sue over. – schroeder Dec 14 '18 at 15:27
  • GDPR is simple : don't collect user PII unless you have the ability to secure them. – mootmoot Apr 03 '19 at 13:07

1 Answers1

6

In the GDPR regulation (Article 39, on page 7), it says

Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

So this is down to the controller. If the controller is not willing to learn and adapt security controls and mechanisms then they may fall short and could result in a breach. The reason why the regulation may not put how to protect the data is that every company is different and will require different security measures. It's also good to follow certifications like Cyber Essentials and ISO 27001 to ensure the correct security controls and procedures are in place.

I'm not too sure on the legal side of being sued, but I suppose if it's in a contract of work stating certain security measures are in place then they are at breach of the contract.

Alex Probert
  • 493
  • 1
  • 3
  • 17