Information Security: The GDPR and SMEs in Denmark

(1)

Information Security: The GDPR and

SMEs in Denmark

Master Thesis

Emma Sprøgel S2103486 Master Thesis

Supervisor: Dr. Els de Busser Crisis and Security Management 17/18 Faculty of Governance and Global Affairs

Leiden University 5 August 2018

(2)

Emma Sprøgel Master Thesis 2018 Leiden University

Acknowledgements

This master thesis represents the conclusion of my academic life. It has been a period which has taken me to four universities in three different countries and through numerous courses over the last five years. It has introduced me to many inspirational professors, fellow students, and friends. All of this has prepared me intellectually, culturally, and socially for the next phase of my life. I therefore want to thank everyone who I met and worked with along the way during these five years for all the valuable pieces of advice, encouragements, and feedback I have received.

The process of this thesis started eight months ago when ideas started forming. I knew that I wanted to research something relating to privacy and information security. The GDPR presented itself as an obvious choice. After listening to different family members’ challenges in their professional lives with this new piece of legislation and discussing the issues I was hearing about with my thesis supervisor, Dr. Els De Busser, I had found my topic: Article 32 interpretation and implementation by SMEs in Denmark. Through this thesis I have gotten to research concepts such as information security, risk management, data protection legislation, and implementation of EU law. I have gotten a valuable insight into how SMEs and public agencies operate and prioritize. This all amounted to this thesis. It was, however, by no means a process I could have done by myself. I therefore want to thank my interview subjects for volunteering their knowledge, experience, and time for me. Furthermore, I want to thank Dr. De Busser for supervising me and for giving me support, advice, and leading me in the right direction with my thesis.

Finally, I want to thank to my family and friends for your support. To Tibi, I owe a special thanks for your love, support, and inspiration. You encourage and inspire me to be the best version of myself, and you never fail to make me laugh when my stress level is at its highest. My time in the Netherlands would not have been the same without you. The biggest thanks of all, I owe to my parents for all your help and support through the years. You have never doubted my abilities, and you have given me courage to not always take the easiest path in life. For that and many more things, I thank you.

(6)

List of abbreviations

CNIL = Commission Nationale de l’Informatique et des Libertés DPA = Data Protection Authority

DPD = Data Protection Directive 95/46/EC DPIA = Data Protect Impact Assessment

ENISA = European Union Network and Information Security Agency EU = European Union

GDPR = General Data Protection Regulation

OECD = Organization for Economic Cooperation and Development SME = Small and medium-sized enterprises

(7)

Introduction

Introduction to topic

In the last year, the topic of data protection has been buzzing not just in Europe but all over the world. An increasingly interconnected world relying on the exchange of personal data called for new legislation. On 25 May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) entered into force. The GDPR was adopted on April 14, 2016 thus having a two-year transition period. The regulation is a comprehensive piece of legislation dealing with all aspects of data protection which harmonizes the data protection laws of the member states. However, the GDPR goes beyond the geographical boundaries of the EU and affects any organization controlling or processing the personal data of EU citizens. The GDPR replaces the EU Data Protection Directive.

The GDPR is an unusual EU regulation in the sense that there is a lot of room for national and individual interpretation by the organizations subject to the GDPR. This ensures a large degree of flexibility in the GDPR but it has also presented a challenge for small and medium sized enterprises (SME) who have limited funds and human resources available to deal with1 the interpretation and implementation of the regulation. This challenge is further accentuated by large fines of up to 4% of annual turnover or 20 million euros whichever is higher. It should therefore be explored more concretely what constitutes these challenges for SMEs as well as how it plays out in a national context which in this case will be Denmark.

This thesis will focus on article 32 on Security of Processing. This article talks about the need for organizations to ensure an appropriate level of security when processing personal data. This means the general focus of the thesis will be information security as well as risk management as this is a concept closely connected to information security in the GDPR. The thesis will therefore explore what changes to information security the GDPR brings about, how article 32 is interpreted by SMEs in Denmark, and finally how it is implemented by the SMEs.

1_{An SME is defined by the EU as an enterprise with a staff headcount of less than 250 people and a turnover of}

(8)

Objectives of research and academic relevance

The objectives of this research is to explore how SMEs interpret and implement article 32 of the GDPR in order to get an understanding of what challenges that SMEs in particular are facing as a result of the EU’s new regulation. Using the case of Denmark will furthermore allow the reader to get an understanding of what national room for interpretation there is in the GDPR, and what that means for SMEs and for the security of personal data in general. This thesis is academically relevant given the novelty of the subject on several levels. First and foremost, the GDPR represents a substantial change in European data protection legislation, and it thus calls for academic research on its impacts and implications in the EU member states and beyond for both private and public institutions as well as for individuals. Furthermore, the area of information security is also a highly developing area and it is therefore relevant to continuously research this topic thoroughly. Taken together, the subject of this thesis therefore represents a gap in the academic knowledge on the GDPR and information security, and it is thus of academic relevance.

Main research question

The main research that this thesis will answer is as follows:

"How do SMEs in Denmark define and implement appropriate security measures under article 32 of the GDPR?"

The research question is of an exploratory nature and incorporates a series of subquestions which will be presented in the methodology chapter of this thesis.

Societal relevance

The relevance of this research however is not only academic. It is also relevant on a societal level. As mentioned above, the GDPR represents groundbreaking new legislation in regards to data protection and information security. Unlike most EU regulations, the GDPR leaves room in many areas for interpretation by data controllers, processors, and others actors, and it is thus relevant to get an understanding of the ways this should be interpreted and

(9)

Emma Sprøgel Master Thesis 2018 Leiden University implemented. This is especially important for SMEs who are currently struggling to implement the GDPR and are concerned with the vague language of certain articles as the consequences for not complying with the GDPR are high. This thesis is therefore relevant as it explores the areas of concern and the information security measures available to the SMEs in Denmark in order to comply with the new legislation. Moreover, research on information security in general is of high societal relevance as the number of cyber attacks are increasing and the amount of personal data held by various organizations is likewise increasing. It is therefore essential that SMEs are properly prepared for attacks in a way that ensures the highest level of information security.

Structure of thesis

The thesis will be structured as follows. The theoretical chapter/the body of knowledge of this thesis will outline the theoretical background and provide definitions of information security, cyber security, and data security followed by a section on article 32 of the GDPR. The chapter will moreover provide a short literature review on risk management followed by a presentation of Vellani’s model on security risk management which will be the basis of the interview analysis. After that there is a section explaining the risk based approach of the GDPR. Finally, there is an overview of other relevant legislation in order to get an understanding of what the GDPR will be replacing and what will supplement it both on a European and on a Danish level.

The second chapter is a methodological chapter. It will state the research question and the sub-research questions, present the research design, and go through the methods used in this thesis. Finally, it will present the operationalization schemes which have been used to analyze the interviews conducted and the documents used for this thesis.

The third chapter will present the analysis and results of the research. It will start by analyzing the difference between the GDPR and existing legislation in the EU and Denmark to get an understanding of to what extent the security of processing obligations of the GDPR are new. The section will also go beyond legislation and touch upon the culture of data protection in Denmark. This will be followed by a section analyzing the risk assessment processes of Danish SMEs and presenting the results from the interview analysis and the

(10)

Emma Sprøgel Master Thesis 2018 Leiden University document analysis. The section will answer how Danish SMEs interpret “appropriate technical and organizational security measures”. The next section will answer how the Danish SMEs implement appropriate security measures. The section will look at what guidance the SMEs have received, what they have prioritized in the implementation process, as well as look at the role of the Danish Data Protection Authorities (DPA).

The final chapter will be a conclusion on the thesis. This chapter will summarize the main findings, reflect on the research and its weaknesses and limitations and provide suggestions for further research on this topic. In the back there is a bibliography of sources used. Where sources of information have been used, they have been acknowledged.

(11)

1. Theory/Body of knowledge

Security concepts and the GDPR

Concepts such as information security, data security, and cyber security are often used interchangeably and this section will therefore provide the definitions of these concepts which will serve as the foundation of this thesis. It will go on to outline security of personal data in the GDPR namely in relation to article 32 on Security of Processing.

Definition and development of concepts

The GDPR deals with protection of personal data and the security aspect of the regulation therefore is about the security of personal data. Whether this falls under the label of cyber security, data security or information security should be explored further as these terms are similar and do, in fact, overlap in many cases. Cybersecurity is defined by the ITU as:

“the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following:

● Availability

● Integrity, which may include authenticity and non-repudiation ● Confidentiality” 2

Cybersecurity is thus understood as the security and protection of user’s assets in the cyber environment through availability, integrity, and confidentiality. These three principles are

2_{"Cybersecurity," ITU | 2017 Global ICT Development Index, accessed May 24, 2018,}

(12)

Emma Sprøgel Master Thesis 2018 Leiden University commonly referred to as the CIA triad. The user’s assets referred to in this definition could 3 very well be information such as personal data and thus cybersecurity could refer to the security of personal data in the cyber environment. However, this definition goes further than just information and personal data. Cybersecurity incidents also encompass cyber bullying, Internet of Things (IoT) security, and cyber terrorism where the targets of an incident are not information assets but rather non-information assets such as mental health, home appliances, or systems or networks. Von Solms and van Niekerk thus characterize the assets to be secured by cybersecurity as “humans and their interests” as a whole. 4

Taking a closer look at information security, the European Union Network and Information Security Agency (ENISA) defines this concept as:

“the measures taken to defend the information processed within a system (e.g. electronic, physical) from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The most used model to guide the development and implementation of a framework for managing information security within an organisation is represented by the so called CIA triad: confidentiality, integrity and availability of information.” 5

Overall, this definition appears similar to the ITU definition of cybersecurity. There are however two important distinctions. Firstly, it is explicitly stated that the assets to defend are information. Kovacich and Halibozek point to that there are three main categories of information: 1. Personal, private information, 2. National security information, and 3. Business information. This thesis will focus on the first category given the nature of the6 GDPR. Secondly, whereas cybersecurity takes place in the cyber environment, information security can take place in any system both electronic and physical. It can therefore also refer to incidents involving physical sources of information i.e. paper etc.

3 _{EU. European Union Agency for Network and Information Security.}_{Guidelines for SMEs on the security of}

personal data processing. 2016. 10.

4 _{Rossouw Von Solms and Johan Van Niekerk, "From Information Security to Cyber Security,"} _{Computers &}

Security 38 (October 2013): 98, doi:https://doi.org/10.1016/j.cose.2013.04.004.

5 _{EU. European Union Agency for Network and Information Security.}_{Guidelines for SMEs on the security of}

personal data processing. 2016. 10.

6 _{Gerald L. Kovacich and Edward P. Halibozek, "Chapter 4 - Information Security," in} _{Security Metrics}

Management: Measuring the Effectiveness and Efficiency of a Security Program (Oxford, United Kingdom: Butterworth-Heinemann Is an Imprint of Elsevier, 2017), 39.

(13)

Emma Sprøgel Master Thesis 2018 Leiden University As the CIA triad is an important element in both definitions, it is necessary to further define confidentiality, integrity, and availability. Confidentiality is an integral part of privacy and refers to the ability to protect data from unauthorized individuals, entities, and processes. Integrity refers to the ability to prevent data from being changed in an unauthorized or undesirable manner. It protects the accuracy and completeness of the data. Finally, availability refers to the ability to access data when necessary. This means that the systems that store and process data must be functioning correctly. An example of a breach of availability is Distributed Denial of Service (DDoS) attack. 7

Finally, there is the concept of data security, also sometimes referred to as ICT security. This concept deals with the protection of the technology based systems in which information is stored. The international standard ISO/IEC 13335-1 (2004) has defined data security as:

“all aspects relating to defining, achieving and maintaining the confidentiality, integrity, availability, non-repudiation, accountability, authenticity, and reliability of information resources.” 8

Data security thus involves the protection of the information resources rather than the information in itself. The protection of information resources is also an important part of information security. However, in terms of conceptual differences, protection of information resources is in information security a means to the goal of protecting information whereas in data security it is the goal in itself. Data security can thus be seen as an aspect of information security.

After having defined cybersecurity, information security, and data security as well as the most central elements of these concepts, it is clear that information security is the most appropriate term to use in order to describe the security of personal data. While the GDPR, and thus this thesis, deals with data protection within electronic systems, the asset to secure is personal information. This thesis will therefore use the term information security to explore the security obligations within the GDPR keeping in mind that it is referring to information security of personal, private data in electronic systems.

7 _{Jason Andress, "Chapter 1 - What Is Information Security?" in} _{The Basics of Information Security:}

Understanding the Fundamentals of InfoSec in Theory and Practice_{(Waltham, MA: Syngress, 2015), 6-7.}

8 _{Rossouw Von Solms and Johan Van Niekerk, "From Information Security to Cyber Security,"} _{Computers &}

(14)

Information security in the GDPR: Article 32 and beyond

As information security is essential to ensure data protection, the concept has a central role in the GDPR. In order to understand the security of personal data in the GDPR, it is necessary to first understand how the GDPR defines personal data. Personal data is in article 4 defined as: “_{any information relating to an identified or identifiable natural person ('data subject'); an} identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person._”9

There are also special categories of personal data which are especially sensitive. These are specified in article 9 as “ _{data revealing racial or ethnic origin, political opinions, religious or} philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation _{.” Processing this}

data is prohibited unless explicit consent is given. 10

The most important article in the regulation for information security is article 32 on Security of Processing. The article is divided into four paragraphs. The first paragraph is as follows:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the _{risk of varying likelihood and severity for}

the rights and freedoms of natural persons, the _{controller and the processor shall}11 12

implement _{appropriate technical and organisational measures to ensure a level of security} appropriate to the _{risk, including inter alia as appropriate:}

1. the pseudonymisation and encryption of personal data;

9_{EU, General Data Protection Regulation, (2016) Article 4, paragraph 1.} 10_{Ibid, Article 9, paragraph 1 and 2.}

11_{Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines}

the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (Article 4, paragraph 7 GDPR)

12_{Natural or legal person, public authority, agency or other body which processes personal data on behalf of the}

(15)

2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” 13

By demanding data processors and controllers to take “appropriate” measures to ensure an “appropriate” level of security, article 32 leaves it up to the controllers and processors to determine what is appropriate for the type of data they have and the type of processing they do. The measures should be both organizational and technical. Organizational measures refer to non-technical measures which a controller or processor take to minimize human errors. Organizational security measures can be security policies, defining roles and responsibilities, access controls, training etc. Technical security measures are those measures implemented14

in the IT system used in order to minimize technical errors. Examples of technical measures are logging and monitoring, back-ups, network/communication security measures, and physical security measures such as intruder detection systems. 15

These organizational and technical measures should be made taking into account “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing”. This means that the GDPR is encouraging stakeholders to effectivize their security measures and reevaluate the amount of data kept (is there a purpose to keep it?), and in this way reduce the costs of security through more effective security measures and by minimizing the amount of data kept. 16

The next important point in the first paragraph is the fact that it mentions four criteria for ensuring an appropriate level of security: pseudonymization and encryption of personal data,

13_{EU, General Data Protection Regulation, (2016), Article 32.}

14 _{Elisabeth Krausmann, Ana Maria Cruz, and Ernesto Salzano, "Chapter 14 – Reducing Natech Risk:}

Organizational Measures," in _{Natech Risk Assessment and Management: Reducing the Risk of Natural-hazard} Impact on Hazardous Installations (Amsterdam: Elsevier, 2017), 227.

15_{EU. European Union Agency for Network and Information Security.}_{Guidelines for SMEs on the security of}

personal data processing_{. 2016. 33-47.}

(16)

Emma Sprøgel Master Thesis 2018 Leiden University ability to ensure the CIA triad, in event of an incident ability to restore availability of personal data in a timely manner, and a process for regularly testing, assessing, and evaluating security measures.

However, it is important to understand that these criteria are not the answer to what is an appropriate level of security. Instead it should be noticed that the paragraph mentions “a level of security appropriate to the risk”. This is what the GDPR calls a risk-based approach. This means that there is no one-size-fits-all approach to information security, and it is up to the processors and controllers determine what is appropriate security measures for their organization based on the “varying likelihood and severity for the rights and freedoms of natural persons” of the risk. The risk-based approach is an important concept to fully dissect in order to properly understand the information security regulations within the GDPR, and it will thus be further expanded on later in this chapter. The second paragraph of article 32 further elaborates on the risks that should be taken into the account when assessing the appropriate level of security especially those risks stemming from breaches of the confidentiality and integrity of the personal data.

The third paragraph is about demonstrating compliance with the requirements of paragraph 1. It mentions adherence to article 40 or article 42 can be used as an element to demonstrate compliance. Article 40 on Codes of Conduct lays out the conditions for making a code of conduct which among other things take into account the “specific needs of micro, small, and medium-sized enterprises”. Article 42 on Certification talks about establishing approved17

data protection mechanisms again taking into account the needs of SMEs. Signing up for 18 either a code of conduct or a certification scheme is not obligatory but it is encouraged as a way to demonstrate compliance with the GDPR. 19

The fourth and final paragraph talks about the requirement of processors and controllers to ensure that no natural person acting under the authority of the processor or controllers who has access to personal data process this data unless they are authorized to do so. The only

17_{EU, General Data Protection Regulation, (2016), Article 40, paragraph 1.} 18_{Ibid, Article 42, paragraph 1.}

19_{"Codes of Conduct," ICO accessed May 24, 2018,}

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-gov ernance/codes-of-conduct-and-certification/.

(17)

Emma Sprøgel Master Thesis 2018 Leiden University exception to this is if the natural person is required to process the data by EU or member state law.

While article 32 is the most important paragraph in the GDPR for information security and thereby for this thesis, it cannot be considered as an isolated article and there are other relevant articles which help ensure appropriate security of processing. First of all, as mentioned the requirement of following a risk-based approach and performing a data protection impact assessment (DPIA) is laid out in article 35. 20 Another important requirement to ensure security of processing is the obligation to notify supervisory authorities, typically the Data Protection Authority (DPA), of personal data breaches within 72 hours as laid out in article 33 and the obligation to communicate the breach to the data 21 subject if the breach is likely to result in a high risk as laid out in article 34. Finally, the 22

obligations in the GDPR to ensure data protection “by design and by default”, meaning that data protection must be integrated into the data processing activities and systems via technical and organizational measures, also contribute to ensuring an appropriate level of information security. This obligation is laid out in article 25 of the GDPR. 23

Information security is therefore a central principle throughout many articles in the GDPR the most central being article 32. Article 32 on Security of Processing lays out the obligations to ensuring a “level of security appropriate to the risk” through “appropriate technical and organizational measures”. This notion of appropriateness is what will be the focus of the analysis conducted later in the thesis.

Security risk management

As clear in the section above, the concept of risk and thereby also risk management is central in the GDPR. This section will start by performing a short literature review of risk management theory before settling on Vellani’s theory on security risk management. Thereafter, the risk based approach and the notion of risk in the GDPR will be further explored.

22_{Ibid, Article 34, paragraph 1.} 23_{Ibid, Article 25.}

(18)

Risk management theory

The concepts of risk and risk management are studied in many academic fields in various ways. Historically, the concept of risk developed in the seventeenth century as a mathematical way to understand the combination between probability and magnitude of potential gains and losses in gambling. Since then the concept has developed and is central 24 in both physical science, life science, applied science, theoretical science, and social science. Gerber and von Solms make a distinction between definitions of risk in the “natural science paradigm” where risk assessment is “a field of objective scientific analysis” and the “social science paradigm” where risk is considered “subjective or perceived risk” and risk evaluation is based on “perception, heuristics or rule-of-thumb guidelines”. Thus, there are different 25

understandings in different fields of what risk is and how to approach it. However, the concept of risk also varies in terms of what you are calculating risks for.

Overall, risk management can be understood as the process of directing and controlling the risks faced by an organization. Most authors agree that risk management is the result of several processes that take place. Some authors point to the steps of risk management being risk identification, risk assessment, and risk monitoring. Risk identification is where you26 find, recognize, and describe risks. In this process you must identify risk sources, events, their causes, and potential consequences. Risk assessment is the process of determining the probability of the risk and classifying it as high, medium or low risk before selecting suitable measures to minimize the risk. Risk monitoring is the final process where you surveil the system in order to determine whether you took the right measures and if there are any risks not previously identified. Other authors also point to additional steps of risk analysis and risk evaluation as part of the risk assessment process. Others again point to risk acceptance, 27 where you accept the presence of residual risk, and risk communication, where you inform stakeholders of the potential risks and controls, as essential risk management processes. 28

24 _{Mariana Gerber and Rossouw Von Solms, "Management of Risk in the Information Age,"} _{Computers &}

Security 24, no. 1 (February 2005): 17, doi:https://doi.org/10.1016/j.cose.2004.11.002.

25_{Ibid, 20.}

26 _{Wissem Ennouri, "Risks Management: New Literature Review,"} _{Polish Journal of Management Studies 8}

(2013): 291.

27_{Paul Baybutt, "Issues for Security Risk Assessment in the Process Industries,"} _{Journal of Loss Prevention in}

the Process Industries_{49 (2017): 510, doi:10.1016/j.jlp.2017.05.023.}

28 _{EU. European Union Agency for Network and Information Security.} _{Information Packages for Small and}

(19)

Emma Sprøgel Master Thesis 2018 Leiden University As mentioned, the concept of risk varies depending on the type. This thesis examines security risk. Security risks are according to Baybutt “incidents with adverse consequences resulting from a deliberate act with the intention of causing harm”. In the process of security risk 29 management, you want to reach the most efficient balance between opportunities for gains and minimizing vulnerabilities and losses. However, it is generally accepted that it is not30 possible to minimize risks to zero. The role of security risk management is therefore to 31 determine when the risk is at an acceptable low level considering costs and benefits.

While there are many different theories and methodologies on security risk management, this thesis has chosen the framework of Karim Vellani as the base of the analysis of the interpretation and implementation of article 32 by SMEs in Denmark. The reason for this choice is that Vellani’s framework is clear and extensive and will thus work well being operationalized into a tool of analysis. It fits this type of research particularly well as the “step by step” security risk management theory of Vellani is suited well for analyzing the few but in-depth qualitative interviews conducted. It can thus help highlight the relevant sections of their answers. Furthermore, as the interviews were conducted with non-academics, Vellani’s clear and approachable theory helps place the information provided by the interviewees in the academic context needed to fulfill the objectives of this research. Finally, it is an important point that Vellani’s theory on risk management deals specifically with security risk management which this thesis also does. Vellani’s theory also explicitly mentions its applicability to information security risk management, and how information can be considered an asset.

Vellani’s concept of asset identification is an important part of the analysis of the risk assessment conducted by the SMEs as it illustrates why article 32 and the GDPR is relevant to the Danish SMEs and the emphasis by Vellani on this action also highlights some of the challenges the SMEs are facing. It was one of the steps where the SMEs faced the biggest

the Process Industries 49 (2017): 510, doi:10.1016/j.jlp.2017.05.023.

personal data processing_{, 2016, 11.}

31 _{Raphaël Gellert, "Understanding the Notion of Risk in the General Data Protection Regulation,"} _Computer

(20)

Emma Sprøgel Master Thesis 2018 Leiden University challenges in the risk management process, and it is therefore central to analysis of this thesis that the concept is dealt with thoroughly and using Vellani’s theory allows for that.

Other risk management theories have also been presented in this chapter. However, they were deemed less suitable for the tool of analysis for the interviews. Gerber and Von Solms also present a theory on risk management suitable specifically for information security risks. However, their scheme is not as detailed as Vellani’s in the sense that it simply goes less into detail with the individual steps and does not take into account asset identification and existing security measures as independent steps. Instead, it only focuses on probability, damaging effects, and beneficial effects. Baybutt’s theory also deals with security risk management.32

However, it zooms in specifically on security risk management in process industries and is thus not an obvious tool for more thorough analysis of information security risk management.

Moreover, it also does not deal thoroughly with asset identification.

33

Ennouri gets around the process of security risk management thoroughly, and goes through many different possible steps in the risk management process. However, his work is a 34 literature review rather than an independent theory and is thus not suitable as a tool of analysis in itself. Thus, after reviewing various relevant theories on the subject, Vellani’s security risk management theory was chosen as the most appropriate for the objectives of this research.

Vellani’s ‘security risk management theory’

The theoretical framework of this thesis will be the risk assessment process as formulated by Karim Vellani in his book _{Strategic Security Management (2007). The book identifies five} steps in risk management: Asset identification, current security measures, threat assessment, vulnerability assessment, and risk assessment. An important aspect of risk management and risk assessment is to accept the notion that you cannot eliminate risk altogether. There will always be some degree of risk present.

32 _{Mariana Gerber and Rossouw Von Solms, "Management of Risk in the Information Age,"} _{Computers &}

Security 24, no. 1 (February 2005): 22, doi:https://doi.org/10.1016/j.cose.2004.11.002.

the Process Industries_{49 (2017): 509, doi:10.1016/j.jlp.2017.05.023.}

34 _{Wissem Ennouri, "Risks Management: New Literature Review,"} _{Polish Journal of Management Studies 8}

(21)

Emma Sprøgel Master Thesis 2018 Leiden University The first step in Vellani’s model is asset identification. An asset is something of value to the organization. It can be people, property or information. In this context, we look at personal 35 data as an asset. Vellani makes a four level scale on the value of assets: low, medium, high, and critical. It is of great importance to identify critical assets which are those that would cause the most damage if lost, damaged or destroyed. 36

The second step is to make an inventory of existing security measures put in place to protect the assets. This is done in order to determine whether an adequate level of countermeasures exists or whether new ones need to be implemented based on the state of the art and the motivations and means of the adversaries. 37

The third step is threat assessment. Vellani defines threat via the threat formula which is “Threat = Intent + Capability + Motivation”. Threats can either be human or natural. Threat assessments are made in order to evaluate the likelihood of adverse events. The focal points of a threat assessment are assets and threat identification meaning identifying potential adversaries and their characteristics. Threat assessment can be done in both quantitative and qualitative ways. 38

Vulnerability assessment is the fourth step. Vulnerabilities are weaknesses in a security program which can be exploited by threats to gain access to the assets. A vulnerability assessment is therefore an evaluation of an organization’s security weaknesses and opportunities for adversarial exploitation. The goal is to identify and block opportunities for attacks against the organization thus mitigating threats and reducing risk. 39

The final step of the risk management process is risk assessment. Risk assessment takes together all the previous steps and based on the assets, current security measures, threats, and vulnerabilities a cost-benefit analysis is made to select the best security measures relative to

35_{Karim H. Vellani,} _{Strategic security management: a risk assessment guide for decision makers (Amsterdam:}

Butterworth-Heinemann, 2007), 15.

36_{Ibid, 20.} 37_{Ibid, 24.} 38_{Ibid, 28.} 39_{Ibid, 86.}

(22)

Emma Sprøgel Master Thesis 2018 Leiden University the means available to protect the assets and reduce risk to an acceptable level. Risk assessment is a dynamic process and it can be both qualitative or quantitative. 40

Risk based approach of the GDPR

As mentioned, the GDPR is based on a so-called ‘risk-based approach’. This means that the GDPR encourages controllers and processors to make a risk assessment of their organization and adopt measures appropriate to the risk. The risk-based approach is present throughout the GDPR such as in article 32. The GDPR does not specify how organizations should assess their risk level. However, for organizations which conduct high-risk activities article 35 requires them to carry out a DPIA. 41 It is furthermore required that such high-risk organizations consult the DPA before conducting the DPIA as stated in article 36 of the GDPR. 42

By taking this approach instead of setting detailed security requirements, the GDPR is recognizing the different nature and security challenges of the organizations. The GDPR is also preparing for future security challenges by basing itself on a risk-based approach. The risk-based approach and the emphasis on ‘appropriate measures’ in article 32 should also be seen in contrast to a precautionary approach. It is thus not necessary to take all technical and organizational security measures if there is not a risk present. The level should be appropriate in order to ensure efficiency and business continuity.

There has however been some critique and confusion as to the meaning of a “risk-based approach”. Some have argued that the risk-based approach will be used by some organizations as an excuse to not ensure the basic data protection rights of data subjects and not follow certain data protection obligations. As a result of this, the Article 29 Working43 Party has published a statement in response to this discussion. The Article 29 Working Party44 states that “_{the risk-based approach is being increasingly and wrongly presented as an}

40 _{Karim H. Vellani,} _{Strategic Security Management: A Risk Assessment Guide for Decision Makers}

(Burlington, MA: Butterworth-Heinemann, 2007), 112.

43 _{Raphaël Gellert, "Understanding the Notion of Risk in the General Data Protection Regulation,"} _Computer

Law & Security Review 34, no. 2 (2018): 282, doi:10.1016/j.clsr.2017.12.003.

44 _{The Article 29 Working Party is an advisory body made up of a representative from the data protection}

(23)

alternative to well-established data protection rights and principles _{”. The conclusion to this}45 discussion, according to the Article 29 Working Party, is that “ _{even with the adoption of a} risk-based approach – there is no question of the rights of individuals being weakened in respect of their personal data _{” and “controllers should always be accountable for compliance} with data protection obligations_{”. The risk-based approach of the GDPR is therefore not a}46 reason to lower the level of data protection even for organizations which only engage in low-risk activities.

The risk-based approach is a way to balance “the need for certainty with the requirement for flexibility” for organizations when it comes to security of personal data. For organizations47 engaging high risk activities there are more formal obligations laid out in Article 35 and 36 whereas low risk organizations are free to determine how they will assess and quantify risk. 48

Rather than make a security checklist which sometimes misses the mark in terms of the security obligations not corresponding to security breaches, the risk-based approach recognizes that there is no one-size fits all approach to security and ensures that the individual security risks faced by organizations are accounted for without “over-securing” which could harm efficiency and business continuity.

Other relevant legislation

In order to properly understand the changes coming with the GDPR’s entry into force, it is necessary to understand the legislation it is replacing both at a European level and in Denmark. This section will examine the EU Data Protection Directive and Persondataloven (“the Personal Data Law”) to get an understanding of the status of security of personal data before the introduction of the GDPR. It will furthermore examine Databeskyttelsesloven (“the Data Protection Law”) which is the implementation law to the GDPR in Denmark. The law entered into force on May 25 2018, the same day as the GDPR.

45 _{Article 29 Working Party, "Statement on the Role of a Risk-based Approach in Data Protection Legal}

Frameworks," WP 218, May 30, 2018, 2.

46_{Ibid, 3.}

47 _{Elizabeth Kennedy and Christopher Millard, "Data Security and Multi-factor Authentication: Analysis of}

Requirements under EU Law and in Selected EU Member States," _{Computer Law & Security Review 32, no. 1} (2016): 93, doi:10.1016/j.clsr.2015.12.004.

(24)

European Union

Data Protection Directive

The EU Data Protection Directive 95/46/EC was adopted by the European Union in 1995 and entered into force in 1998. It has been the primary piece of legislation regulating the protection of individuals in the processing of personal data and the free movement of personal data in the EU. The Data Protection Directive (DPD) was replaced by the GDPR and is thus no longer applicable after May 25, 2018.

The DPD is based on seven principles of data protection: _{notification meaning that the data} subject should be notified when their personal data is used, _{purpose meaning that the} personal data can only be used for the intended purpose when it was collected, _consent meaning that the personal data subject must consent to their data being shared with third parties, _{security meaning that the personal data should be secured against abuse or} compromise, _disclosure _{meaning that individuals should be informed by the data collectors} when their personal data is being collected, _access_{meaning that individuals should be able to} access their personal data, and_{accountability}_{meaning that individuals should have the means} to hold data collectors accountable for breaching any of the above principles. The seven 49

principles are based on the OECD 1980 Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data. 50

In order to understand the position on security of personal data in the DPD, it is first necessary to understand what is meant by personal data. The concept of personal data is in the DPD defined as:

“_{any information relating to an identified or identifiable natural person ("data subject"); an} identifiable person is one who can be identified, directly or indirectly, in particular by

49_{Nate Lord, "What Is the Data Protection Directive? The Predecessor to the GDPR," Digital Guardian, April}

24, 2017, accessed May 24, 2018,

https://digitalguardian.com/blog/what-data-protection-directive-predecessor-gdpr.

50_{OECD, "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data," OECD.org,}

2013, accessed May 24, 2018,

http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonald ata.htm#part2.

(25)

reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity_”.51

This definition of personal data is vague and it is thus up to the Member States to define more clearly what constitutes personal data. However, general examples of personal data are names, addresses, government issued identification numbers, bank statements etc. 52

The DPD’s obligations on security of processing is laid out in article 17. This article states that:

“Member States shall provide that the _{controller must implement appropriate technical and}

organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the _{risks represented by the processing and the} nature of the data to be protected.” 53

Thus, the data controller is responsible for implementing appropriate technical and organizational measures taking into consideration the state of the art and the cost of their implementation. While the data processor is not directly responsible for implementing such measures, the data controller is responsible for choosing a processor which provides sufficient guarantees regarding the technical and organizational measures implemented in the processing as laid out in paragraph 2 of article 17:

“The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.” 54

51_{EU, Data Protection Directive 95/46/EC, (1995), article 2(a).}

52_{Nate Lord, "What Is the Data Protection Directive? The Predecessor to the GDPR," Digital Guardian, April}

24, 2017, accessed May 24, 2018,

https://digitalguardian.com/blog/what-data-protection-directive-predecessor-gdpr.

53_{EU, Data Protection Directive 95/46/EC, (1995), article 17, paragraph 1.} 54_{EU, Data Protection Directive 95/46/EC, (1995), article 17, paragraph 2.}

(26)

Emma Sprøgel Master Thesis 2018 Leiden University Thus it is mainly the data controller who is responsible for the security of processing as laid out in paragraph 1 and thereby also ensuring the guarantees from the data processor in regards to the technical and organizational measures securing the processing as laid out in paragraph 2. This is elaborated further on in paragraph 3 where it is stated that the obligations of paragraph 1 are also necessary for processors to follow:

“the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.” 55

However, the active responsibility for implementing appropriate technical and organizational measures to ensure an appropriate level of security taking into account state of the art and cost of implementation is with the data controller.

Denmark

Persondataloven

Persondataloven or “the Personal Data Law” also known as Lov om behandling af personoplysninger or “the Act on Processing of Personal Data” is the main piece of legislation governing the transfer and processing of personal data. Persondataloven has been regulating the DPD in the Danish context, and it entered into force on July 1, 2000. The law is applicable to both public and private organizations. However, public organizations are also governed through _{Sikkerhedsbekendtgørelsen, an additional piece of legislation with more} defined obligations regarding information security. 56

The obligations regarding security of personal data is laid out in paragraph 41 of Persondataloven part 1-3 and part 5 along with paragraph 42. Part 1 of paragraph 41 specifies that data processors can only process the data they are authorized to do so by instruction from the data controller. It furthermore stipulates that the data processing can only serve the purpose set out by the data controller. The processor can thus not process the data for their own purpose despite having access to it. This also means that the data processor cannot pass

55_{EU, Data Protection Directive 95/46/EC, (1995), article 17, paragraph 3.}

56 _{"Sikkerhedsbekendtgørelsen - Bekendtgørelse Om Sikkerhedsforanstaltninger Til Beskyttelse Af}

Personoplysninger, Som Behandles for Den Offentlige Forvaltning," Bekendtgørelse Af Lov Om Miljøvurdering Af Planer Og Programmer Og Af Konkrete Projekter (VVM), , accessed May 24, 2018, https://www.retsinformation.dk/forms/r0710.aspx?id=842.

(27)

Emma Sprøgel Master Thesis 2018 Leiden University on the data to a third party unless authorized to do so by the controller. This part is based on 57 article 16 of the DPD.

Part 2 of paragraph 41 states that part 1 cannot limit the journalistic freedom or hinder the creation of an artistic or literary product. This part does not have its foundation in the DPD 58 but has been incorporated to “avoid any doubt”. Part 3 of paragraph 41 corresponds to 59 paragraph 1 of article 17 in the DPD. It is not specified any further what constitutes 60 appropriate technical and organizational measures. However, this is the most central part of paragraph 41 regarding security of processing. A report from the Danish Registry Committee found that the security measures should include the following aspects: physical security, organizational measures, technical measures along with training and instruction. 61

Part 5 specifies that the Minister of Justice can specify further rules on security measures. This part does not have its foundation in the DPD. This part is put it since it was deemed 62 practically impossible to specify the all the security measures that are specific to different sectors in Persondataloven. This part has resulted for example in the before mentioned

Sikkerhedsbekendgørelse where security measures are specified for public authorities

processing personal data. 63

Paragraph 42 part 1 corresponds to the DPD article 17 paragraph 2 stating that the data controller must ensure that the data processor undertakes appropriate technical and organizational security measures. Thus, the data controller cannot solely leave it up the64 processors themselves to ensure an appropriate level of security but the controllers must actively ensure and control that the processors are doing this.

Paragraph 42 part 2 has its basis in paragraph 3 and 4 of article 17 of the DPD and stipulates that there must be a written agreement between the data controller and the data processor. If the data processor is in a non-EU country, it is the rules of security of processing established

57_{Denmark, Persondataloven, (2000), paragraph 41 stk 1.} 58_{Ibid, stk 2.}

59_{Denmark, Justitsministeriet,}_{Betænkning om Databeskyttelsesforordningen, 471.} 60_{Denmark, Persondataloven, (2000), paragraph 41 stk 3.}

61_{Denmark, Udvalget om registerlovgivningen,}_{Behandling af personoplysninger, (1997), 325.} 62_{Denmark, Persondataloven, (2000), paragraph 41 stk 5.}

63_{Denmark, Justitsministeriet,}_{Betænkning om Databeskyttelsesforordningen, 475.} 64_{Denmark, Persondataloven, (2000), paragraph 42 stk 1.}

(28)

Emma Sprøgel Master Thesis 2018 Leiden University in the laws of that country which governs the processing, and this must be clear in the agreement. 65

Persondataloven’s obligations on security of processing is thus largely based on the obligations of the DPD. However, there are established some additional obligation in order to remove doubt and specify further rules depending on the specificities of sectors controlling and processing personal data.

Databeskyttelsesloven

Databeskyttelsesloven (“the Data Protection Law”) is the Danish implementation law to the GDPR. It was finally approved by the Danish parliament on May 17, 2018. The law will function as a supplement to the GDPR. The law will determine the Danish supplementary obligations to the GDPR as well as clarify certain concepts of the GDPR in a Danish context. This includes a clarification as to the processing of Danish national identification numbers (CPR numbers), the processing of personal data in employment relations, transfer of personal data from one enterprise to another with regards to Danish marketing law , and the lowering 66

of the age of consent from 16 in the GDPR to 13 years old in Denmark.67

Databeskyttelsesloven does not make Danish clarifications or supplements to the GDPR’s Article 32 on Security of Processing, and the text of GDPR will therefore be followed as is.

65_{Denmark, Justitsministeriet,}_{Betænkning om Databeskyttelsesforordningen, 479.}

66_{"Den Nye Data}_{beskyttelseslov Er Nu Vedtaget," Kromann Reumert, May 17, 2018, accessed June 05, 2018,}

https://www.kromannreumert.com/Nyheder/2018/05/Den-nye-databeskyttelseslov-er-nu-vedtaget.

67 _{Mie Oehlenschlager and Katrine Pedersen, "Databeskyttelsesloven Er Ikke for Børn," DataEthics, May 16,}

(29)

2. Methodology

Research questions

The aim of this research is to explore the information security risk management processes of SMEs in Denmark in light of the new principles of the GDPR. In the end, the challenges faced by SMEs when following the new rules set out on information security will be identified as well as how appropriate information security measures can be understood. By focusing on Article 32 and using Vellani’s theory on Security Risk Management, we have an appropriate framework for the analysis conducted on the SMEs in the thesis. As a result of this aim, an exploratory main research question has been developed:

"How do SMEs in Denmark define and implement appropriate security measures under Article 32 of the GDPR?"

In order to answer this main research question, the following sub-questions will be answered: - “What are the existing Danish and EU laws on information security and how does the

GDPR differ from these?”

- “What are the challenges faced by Danish SMEs in their risk management process when interpreting article 32?”

- “How do Danish SMEs approach article 32 implementation and what do they prioritize in this process?”

Each of the sub-research questions will be answered in a section in the analysis chapter. The first subquestion will serve to provide an understanding of what changes the GDPR actually brings and how the information security processes change for the SMEs in Denmark under the GDPR. The second and third subquestion will explore the more practical process of interpreting and implementing article 32 of the GDPR, a big part of which is conducting a security risk assessment. Together the three sub-questions held together with the theoretical background given, will answer the overall research question.

(30)

Research design

Single case study

The chosen research design of this thesis is a single case study design. The context studied is information security risk management and security of processing in light of the GDPR and the case selected is SMEs in Denmark. The case is thus the country of Denmark as one of the European Union member states. This case made it possible to test the opportunities and boundaries for information security that comes with the GDPR in a smaller member state which have not prioritized information security to a large extent in the past. Denmark was also chosen in order to limit the scope of the thesis geographically. Furthermore, it was the member state which the author of this thesis has had the most access to exploring fully in depth. The research is naturally limited in time since the GDPR was passed in 2016 till May 2018 when the regulation entered into force. While the deadline of this thesis was after the GDPR’s entry into force, the thesis will exclusive concentrate on the preparation before this point. However, it will touch upon certain expectations to the situation after the regulation has entered into force but this will be clearly indicated.

SMEs were chosen as the focus of this research as they are a particular interesting type of data processing organization to use as they have limited funds and human resources available to ensure a smooth transition to the new regulation. It was therefore expected that challenges of interpreting and implementing the information security obligations under the GDPR were especially highlighted in these organization due to the factors mentioned above. It was furthermore interesting to explore how the risk based approach of the GDPR was handled by these smaller organizations as it is an elaborate process which cannot be scaled down to “light version”.

Finally, a decision was made to focus on a single case, Denmark, as opposed to making a comparative analysis between multiple member states. The reason for this is that the complexity of the subject combined with the scope of this thesis was suitable for a single case study. Focusing on one member state made it possible to go thoroughly into depth with this case. Some of the conclusion drawn off the case of Denmark can be expected to apply also to SMEs in other member states (although this is not the aim of the research) as the GDPR in

(31)

Emma Sprøgel Master Thesis 2018 Leiden University theory harmonizes data protection legislation in the EU. However, the national aspect such as supplementary legislation, resources of the DPA, and general data protection culture should always be kept in mind.

The research design is a qualitative one where the focus will be on a single case in order to explain its context, particularity, and complexity. This is contrast to a quantitative case study design where many cases would be studied. The aim is not to generalize broadly on information security and risk management but instead to give a contextualized insight into the processes of adapting to Article 32 of the GDPR by Danish SMEs. The research could however be replicable into SMEs in other member states taking into account their particular national legislation, DPA, and culture of data protection.

Methods

Triangulation of methods

This thesis will rely on a qualitative methodology. The triangulation of methods for this thesis will consist of document analysis and interviews. These methods are used in order to increase the external validity of the findings of the research. The approach of triangulation ensures that the Danish SMEs’ approach to information security in the GDPR is explored more thoroughly and a deeper understanding is acquired. It allows for the data obtained from the sources to be cross checked across these two methods. The methods of document analysis and interviews were chosen as they were the best qualitative methods to answer the research question. The document analysis provided some hypotheses about the phenomenon and it was then possible to validate the findings or analyze why they were different thus avoiding any potential methodological bias.

Document analysis

For this thesis, document analysis served as the primary method of analysis. Overall, three broad categories of documents were analyzed during this research: academic literature, legal documents, and reports/guides on GDPR implementation. The academic literature was mainly scholarly articles and books on information security, risk management, and European data protection legislation. The second category consisted of the GDPR primarily focusing on

(32)

Emma Sprøgel Master Thesis 2018 Leiden University article 32, the DPD focusing on article 17, Persondataloven (“the Personal Data Law”) focusing on paragraph 41, and the Danish GDPR implementation law Databeskyttelsesloven. This was the relevant legislation for the scope of this thesis which was compared and analyzed. The last category were various reports and guides on GDPR implementation from sources such as ENISA, the Danish DPA, the French DPA as well as media sources etc. Together these sources were subject to document analysis which served as the basis of the analysis conducted in this thesis.

Interviews

Interviews were used in this thesis as a way to get information which was not necessarily available elsewhere. This mainly went for interviews with SMEs which served to provide inside knowledge and an inside experience into the challenges they have been facing with GDPR implementation. While general conclusions on this topic were made via document analysis, the interviews provided concrete empirical examples from Danish SMEs. As the number of SMEs interviewed for this thesis are limited, the conclusions drawn from the interviews cannot be considered general. The interviews with the SMEs therefore serve as illustrations for the conclusions drawn from document analysis.

Moreover, the DPA in Denmark was interviewed to acquire concrete empirical knowledge of how they are working with SMEs on GDPR implementation and what will be their strategy going forward. The interview with the DPA does not serve as illustration like the two other interviews but as a source of information in itself from which conclusions can be drawn from. Overall, the results of the interviews were satisfactory and the results corresponded well with the expected findings based on document analysis.

For this thesis a total of three people were interviewed. Two representatives from two SMEs were interviewed as well as a representative from the Danish DPA, Datatilsynet. All interviews were conducted in April and May 2018. The interviews followed a semi-structured plan where questions were prepared in advance and follow-up questions were also asked in response to the answers of the interviewee. The purpose of the interviews with the SMEs was to get an understanding of how they interpreted article 32, how they implemented, what challenges they had faced particularly in the risk management process, and what guidance they had received. The purpose of the interview with the representative from Datatilsynet was

Information Security: The GDPR and SMEs in Denmark