UK: +44 (0) 207 0528 285 | IE: +353 (0) 51 833 958
UK: +44 (0) 2070528285
IE: +353 (0) 51 833 958
Home > News & Insights > Data Governance Insights > EDPS Opinion on Information Security Proposal

EDPS Opinion on Information Security Proposal

The Proposal for a Regulation of the European Parliament and of the Council on the information security in the institutions, bodies, offices and agencies of the Union (EUIs)[1] suggest developing a set of standards and rules regarding information security that EUIs will need to adhere to. These aim to firstly, facilitate the interoperability of information classification systems to enable seamless data transfers between EUIs, and secondly, to ensure there is a uniform approach between institutions to the handling of classified and sensitive information. In May, the EDPS published an Opinion on the proposal, providing general remarks and specific comments on the contents.

This article will present some of the key points outlined in the EDPS Opinion, which give an indication of the focus and emphasis of the EDPS when it comes to information security, concerned with the confidentiality, integrity, and availability of data, within EUIs.

Whilst the EDPS recognises that information security measures enhance protection of personal data, the EDPS also notes that they also have a potential to interfere with rights and freedoms of data subjects.The EDPS advises that adoption of information security measures will inevitably involve the processing of personal data, and this should be done in compliance with the current data protection framework. Any measures implemented should be, based on a valid legal basis, are adequate, necessary, and proportionate, with specific and limited purposes

Within the EDPS Opinion, the following key recommendations were made that EUIs should be mindful of:

  • As part of the minimum-security measures within the Regulation, the EDPS strongly recommends including end-to-end encryption (particularly when exchanging sensitive non-classified information).
  • The EDPS also advised that the Regulation should also cover risks stemming from third country access (e.g., intervention by public authorities).
  • The EDPS have recommended including a specific obligation for EUIs to ensure the officials responsible for information security cooperate closely with the Data Protection Officer. This collaboration should ensure that principles of data protection by design and by default are applied to the measures.
  • Additionally, the EDPS recommend the promotion of an integrated information security risk management and an integrated incident handling process that take account of both the information security and data protection obligations on data breach notifications.

Trilateral’s Data Protection and Cyber Risk Team includes data protection and information security specialists with extensive expertise and experience who are able to help in implementing changes to meet new and evolving requirements, inter alia:

  • Applying data protection by design and default to any new and existing information security measures.
  • Transfer Impact Assessments templates and processes for assessing risk of third country transfers.
  • Integrating data protection with information security approaches across the organisation.
  • Developing breach/incident handling processes that include both information security and data protection.

Please feel free to contact our advisors, who would be happy to speak with you about the above services or any other compliance needs you may have. 

[1] On the same day the EDPS also provided its opinion on the ECs Proposal on measures for a high common level of cybersecurity in EUIs. This cybersecurity Proposal is focused on system and network vulnerabilities.

Thordis Sveinsdottir

Senior Data Protection Advisor

Rosie Christos

Data Protection Advisor