Logo and page links

Main menu

Risk assessment and data security

The enterprise must perform a risk assessment in connection with changes in factors which could affect data security, such as changes in the information system or in the threat landscape.

Risk describes the relationship between the likelihood that an unwanted incident may occur and the consequences such an incident would entail. The risk assessment must be seen in the context of established risk acceptance criteria, and the data controller must implement the measures necessary to achieve a satisfactory level of data security.

To achieve a satisfactory level of data security, the data controller must ensure that any cloud computing service meets the requirements specified in the acceptance criteria and risk assessment. The enterprise must accord the assessment greater weight when it switches from in-house operations to cloud-based solutions, since the personal data will lie outside the data controller's direct control. The question is: How can the data controller ensure that the level of data security is adequate?

The data processor agreement must contain a section relating to data security, and it is important that the data controller reviews this thoroughly. The agreement in itself is no guarantee that the service provider has a satisfactory level of data security.

Security audits

Chapter 2 of the Personal Data Regulations, which deals with data security, contains a provision relating to security audits.

"Security audits of the information system's use shall be carried out regularly. A security audit shall comprise an assessment of organisation, security measures and use of communication partners and service providers. If the security audit reveals any unforeseen use of the information system, this shall be treated as a discrepancy, see s 2-6. The result of the security audit shall be documented."

- Norwegian Personal Data Regulations, chapter 2

The Norwegian Data Protection Authority is therefore of the opinion that

The data processor must be able to document the information system's design and security solutions. This is to enable the data controller to make sure that the solution affords adequate data security in relation to the risk assessment and acceptance criteria.The data processor cannot change the data security measures without the data controller having been notified in writing of and consenting to the change.