Vague Cyber Security

Written By Helly Worsdell

Here is a common mistake that you find in the cyber security section of contracts.

People, particularly buyers, like to repeat the security wording from the GDPR:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,…

But this approach doesn’t work in a contract. The GDPR is a piece of legislation that is intended to last 30 years and which covers personal data of a huge range, from the most sensitive medical data to the most unimportant personal data. By its very nature, the cyber security obligations which the GDPR imposes (and which apply to both controllers and processors) have to be vague and high-level.

A contract, on the other hand, can’t afford to be vague and high-level. Not only is your outlook limited (the contract is only going to last, say, 3 years or 5 years), but you know specifically the type of data that’s involved and the likely impact of any breach.

Looked at from the buyer’s point of view, relying on the standard GDPR wording brings with it a key problem: it is too vague to be enforceable. Because the buyer hasn’t boiled down the prescription to something concrete, the buyer doesn’t have something it can rely on in court.

From the seller’s point of view, it is the same problem but seen from a different point of view. The seller needs to boil down the GDPR’s generalisation to something concrete and measurable.  And then the seller can say: For the price of X, you get this concrete security arrangement of Y. Do you think the data needs more security than Y? In that case, I will charge you X+.

And then the seller needs to get the buyer to agree that, if the seller meets the cyber security obligation in the contract, the seller has discharged its obligation under the GDPR. You do not want the buyer coming back a few years later and saying: I know what it says in the contract, but given the state of the art, the cyber security you should have been providing is….

1 July 2025

Helly Worsdell
Next

Words Are Ambiguous