The “appropriate technical and organisational measures” set by the GDPR help to meet to keep personal data secure, such as technical safeguards against accidents and negligence or cyber attacks or involve the implementation of data protection policies. These aspects should be accessible at the request of data protection authorities and should be reviewed regularly.
At a glance, technical and organisational measures are the functions, processes, controls, systems, procedures and measures taken to protect and secure the personal data processed by an organisation.
The measures created by the organization directly related to the scope, size and activities and must keep on track of the nature and scope of the personal data processed. The scope of the technical and organisational measures of the GDPR are wide and range from assessment controls like vulnerability scans and risk management to firewalls, enforcement of secure passwords and due diligence towards third parties.
What measures should you consider and implement?
Depending on the size of your organisation and the processing activities performed, there is a wide range of technical and organisational measures that can help secure and protect personal information.
Writing or using information security policy templates is an essential part of your organisational measures and can range from an information security policy for small, non-complex organizations to a set of policies, often including a set of policies:
- Bring your own device (BYOD)
- Clear desktop & screen
- Access control
- Passwords & Encryptions
- Safe disposal
- Business Continuity Plan/Disaster Recovery
- Asset Management
- Remote access
According to Recital 78
Under Recital 78, “Appropriate Technical and Organisational Measures”, it states the right of an establishment to keep the personal data of each individual in an organization. Recital 78 reads as follows from the official GDPR website:
“The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met.
In order to be able to demonstrate compliance with this Regulation, the controller should establish internal policies and implement measures which comply in particular with the principles of “data protection by design” and “data protection by default”.
Such measures could, inter alia, consist of minimizing the processing of personal data, pseudonymizing personal data as soon as possible, providing transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing and enabling the controller to create and improve security features.
When developing, designing, selecting and using applications, services and products based on the processing of personal data or processing personal data for the performance of their tasks, the manufacturers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and to ensure, with due regard to the state of the art, that data controllers and processors are able to comply with their data protection obligations. The principles of designed and pre-defined data protection should also be taken into account by (if required) data protection officers.
The security principle goes beyond the way you store or transfer information. Every aspect of your personal data processing is covered, not just cyber security. This means that the security measures you put in place should aim to ensure that this is the case:
- the data can only be accessed, modified, disclosed or deleted by the persons you have authorized to do so (and that these persons only act within the scope of the authorization you have given them)
- the data in your possession is accurate and complete in relation to the reason why you are processing it; and
- the data remains accessible and usable, i.e. if personal data is accidentally lost, altered or destroyed, you should be able to recover it and thus prevent any damage or annoyance to the persons concerned.
These are referred to as “confidentiality, integrity and availability” and are part of your obligations under the GDPR.
Required Level of Security
You should review the personal information in your possession and the way you use it to assess how valuable, sensitive or confidential it is – as well as the harm or distress that could be caused by compromising the data. You should also consider factors such as the following:
- The nature and extent of your organization’s premises and computer systems;
- the number of your employees and the extent to which they have access to personal information
The GDPR does not define what security measures you must take. It requires you to have a level of security that is “appropriate” to the risks posed by your processing. You must take this into account in the context of the state of the art and the costs of implementation, as well as the nature, scope, context and purpose of your processing.This reflects both the risk-based approach of the GDPR and the fact that there is no “one size fits all” solution for information security. It means that what is “appropriate” for you depends on your own circumstances, the processing you are performing and the risks it presents to your organization.