Risk Management: from Directive 95/46 to the GDPR

From 2000 to 2005, the field of information security was in a state of flux with experts waiting to see who would impose the first set of international standards. The English were one step ahead and so the first standards to appear were ISO/IEC 17799 on best practices in information security (established in 2000, this later became ISO/IEC 27002). And then ISO/IEC 27001, which introduced the notion of ISMS (using certification). These were then followed in 2008 by ISO 27005, which supplies the method for risk management. These standards have now become references; they have been fully fleshed out and there is a natural tendency for national standards and methods to converge towards these international standards.

Taking a Step Back: How to Build Upon Legislation and Define Risk

However, things were not always so clear cut; in October of 1995 the European Council published Article 17, Directive 95/46 introducing the notion of “security of processing” by providing that the person responsible for the processing (the “controller”) is required to implement appropriate technical and organizational measures to protect personal data – mainly by taking into account the criteria of confidentiality, integrity and availability. The Directive refers to setting up state-of-the-art measures to ensure a level of security appropriate to the risks represented by the processing.

Which at the time was all very vague and open to interpretation…

The transposition of the Directive into Luxembourg legislation in August 2002 attempted to be more interventionist; its Article 23 includes a number of technical terms, including “equipment access control”, “medium access control”, “memory control”, “access control”, etc. But how can best practices in information security be summed up in a single article of a legislative instrument that is only half a page long? Naturally this question led to the founding of today’s international standards as well as a robust network of security professionals, certification programs and educational initiatives.

And Now the GDPR…

The GDPR, or General Data Protection Regulation, comes onto the scene at a time when all these standards have reached maturity, are stable, and widespread throughout Europe. Its articles, specifically 76, 77, and 83, use a very specific vocabulary such as “likelihood and severity of the risk”, and “risk should be evaluated on the basis of an objective assessment”, and “identification of the risk”, etc. Finally, in Articles 24, 32 and 35 the GDPR expresses the need to carry out a risk analysis and also an impact assessment to address the risks to the rights and freedoms of persons concerned. Protection des données : un nouvel équilibre à trouver.


Risk Management Today – and Tomorrow

A risk analysis is a structured approach that aims to direct or guide a body specifically via the lens of risk. In very simple terms, it is necessary to define the context that is to be studied, then identify the risks (know of them) and then assess them (quantify them). This then makes it possible for the body or organization to arrange risks in order, starting with the most critical. All of the risks that are considered unacceptable are dealt with first so that they can be reduced to an acceptable threshold or eliminated. The remaining risks are accepted, since they have been characterized as negligible.

Apart from scheduling, the actual risk analysis process provides a lot of information, particularly on the extent of the risks taken into consideration, their assessment, the impact values on the organization and/or the individual, the description of the security measures in place, and of those that will be added in the future.

All of this collective information goes hand in hand with the principle of controller accountability. Not only must the responsible individual use a risk-based approach to implement security measures, but it is imperative that they also can provide all of the necessary arguments proving that their organization’s processing is GDPR compliant.

 Can MONARC Help Organizations Manage All of This?

MONARC is a method for analyzing risks coupled with a free tool, making it possible to follow all of the best practices in the field of information security. MONARC adopts the basic criteria of confidentiality (as this is vital when personal data is involved – protection from divulgation), integrity and availability, all of which are particularly relevant in the health care field. Impact criteria are directly related to the organization’s reputational, operational, legal and financial risks. MONARC is different in that it introduces naturally the notion of consequences for the person as required by the GDPR (e.g. the consequences of divulging information from a person’s medical records).

At this level, MONARC addresses two vital points in the GDPR by making it possible to couple risk management and impact analysis specific to the rights and freedoms of the person within the domain of data security.

All that now remains to deal with is the impact of failure to observe the legal aspects of GDPR, to which MONARC also proposes a solution via its pre-defined risk models. The DPIA, as defined in Article 35 of the GDPR, is partly handled.

MONARC is an iterative method that makes it possible to carry out regular reviews which only take into account changes that have been made. This means that considerable time is saved in achieving compliance. And since risk analysis with regard to personal data is carried out, it is highly probable that your organization’s information system is already partly covered by its analysis methodology. MONARC simply makes it possible to extend it to your services and job processes.

MONARC makes it possible to pool the efforts that ensure your compliance with the GDPR and manage your risks, insuring that your activity remains sustainable.



Share with care: