France CNIL calls for comments on its draft recommendation on security of critical data processing operations

This processing, referred to by the CNIL as "critical data processing operations", is characterised by two cumulative criteria: the processing is large-scale within the meaning of the GDPR; and a data breach could either have very significant consequences for the data subjects, state security or society as a whole (due to the loss of confidentiality, integrity or availability of the data or the processing).

The CNIL provides examples of critical data processing operations, such as: customer databases and other processing that involve a large part of the French population due to essential services provided by the controller (such as banking, energy, insurance, internet access or transport services), large-scale digital public services (such as tax or identity management), large-scale health processing, or processing in the context of providing services which, due to their popularity, have led to the creation of a large database containing sensitive personal data of a large part of the French population.

The CNIL Recommendation covers governance, risk management, staff training and awareness, privacy by design and by default, traceability, data breach management and security of supply chains. It also consolidates various advanced security practices for critical data processing operations. For instance, the CNIL recommends that critical data processing operations:

1. are approached as a strategic issue that should be supported by top management, with sufficient resources allocated to their protection and regular updates provided by the information security officer and the data protection officer of the organisation;
2. undergo initial and systematic data protection impact assessments and risk assessments, taking into account the most likely and severe risk scenarios (e.g. state-sponsored or organised crime cyber-attacks, supply chain attacks, zero-day vulnerabilities or compromise of authorised persons);
3. follow the principles of privacy by design and by default, and data minimisation;
4. undergo a security certification to validate the level of security of the processing and the residual risks, as well as the action plan to address these risks and maintain and improve the level of security over time; and
5. implement extensive logging measures that would enable traceability of events in IT systems and access to systems and equipment, covering all the equipment involved in the processing of personal data, and use automated analysis tools to facilitate the detection of security incidents and data breaches.

Organisations are also encouraged to implement appropriate policies and procedures for managing data security and personal data breaches.

The consultation is open until 8 October 2023.

The Recommendation is available here and the press release is available here (French only).