The GDPR allows the controller to take into account also the cost of the security measures required to comply: article 32 says “Taking into account the state of the art, the costs of implementation…”. Compared to the current legislation this fact is strongly innovative, at least in Italy.
“Taking into account the costs” is a statement that must be placed totally inside the controller’s accountability principle and, therefore, it must be part of the overall, documented evaluation of personal data security requirements to comply: treatment-related risks must be identified, the probability for them to occur and related potential damages evaluated. Then possible solution must be analyzed, along with their costs, their impacts on the organization and their limitations, that is the residual risk after the implementation of the solution.
Only at this point a comprehensive evaluation of the sustainability of the overall solution’s costs – not only the economic ones – related to the actual company’s context can be done.
It must be underlined that the cost of a security measure doesn’t relate only to the purchasing price of the technology or of the services which the measure is made of. It includes also the resources required to make the organization capable to use that technology and services properly.
To be effective, a technology can require that a certain organization and/or a collateral technology are in place or that some competencies or roles are established within the company. In absence of these elements adopting a tool or acquiring a service may result not effective or even counter-productive.
It is a complex evaluation and it is a Controller’s responsibility to make it. And this is absolutely appropriate: according to the GDPR it is up to the Controller and within his responsibility to decide if an investment is applicable to the actual company’s organization and compatible with the available resources and consequently to adopt a certain technological or organizational measure to address a specific risk.
This evaluation must remain within the accountability principle that implies the duty of being able to demonstrate why the decision was made. The cost cannot be an excuse for not implementing a security measure while it is one of the parameter used by the controller to decide his security strategy.
Of course, the monetary cost of a measure Is relevant: a security measure cannot make unsustainable the treatment it was supposed to protect.
If decision’s rationals are reasonable and properly documented, in case lawsuit or controlling Authority’s inspection the Controller won’t chargable for not adopting the security measure. In that case the rationals that are behind the decision will have to be contested: the evaluations on the organization and on the available resources that led to the decision.
It means that company’s balance sheet and organization will have to be considered.
Of course, particularly if the risk level is high and the identified solution is effective, just to say “no” can be considered inadequate: if that solution is needed but not applicable for cost or organizational reasons, alternative measures must be applied to reduce the risk, while a plan to make it applicable in future is put in place.