The GDP all requires you to process personal data securely. This is not a new data protection obligation. It replaces and mirrors the previous requirement to have appropriate technical and organizational measures under the Data Protection Directive.
Article 32 of GDP our address is controller and processor security obligations. It states taking into account the State of the art the costs of implementation and the nature scope context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural Purtell persons the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk state of the art does not mean the most cutting edge technology as part of the risk assessment controllers or processes should reflect upon the consensus of security specialists.
If a body or a security specialist consider a particular control appropriate in a particular context this option should be preferred when deciding on the appropriate security measures. The cost of implementation should be taken into account.
Organizations are not required to choose the most expensive cutting edge security controls GDP does not explain what the phrase appropriate technical and organizational measures but it lists some important measures such as pseudonymization encryption confidentiality integrity availability and resilience confidentiality individuals entities systems and applications access data on a need to know basis.
Integrity controls are in place to ensure data is accurate and complete availability data is accessible when needed. Resilience data is able to withstand threats and recover GDP are also suggests to use a risk based approach and run the risk assessment to decide on the appropriate technical and organizational measures.
The risk assessment will reflect the nature of the data that is processed.
The context purpose and scope of processing threats vulnerabilities and the impact we have covered what GDP all requires us to do for security in theory but security in practice within an organization needs more than that and according to GDP our organizations should take a holistic approach.
Considerations for a holistic approach include management team work a buy in security policy for physical environment security measures information technology security measures incident detection and response.
GDP also asks controllers to cascade all requirements to processes the contracts between controllers and processes should include the following compulsory terms:
- The processor must only act on the written instructions of the controller.
- The processor must ensure that people processing the data are subject to a duty of confidence.
- The processor must take appropriate measures to ensure the security of processing the processor must only engage a sub processor with the prior consent of the data controller and a written contract.
- The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDP.
- The processor must assist the data controller in meeting its GDP our obligations in relation to the security of processing the notification of personal data breaches and data protection impact assessments.
- The processor must delete all return all personal data to the controller at the end of the contract and the processor must submit to audits and inspections provide the controller with whatever information it needs to ensure that they are both meeting.
Article 28 obligations and tell the controller immediately if it is asked to do something infringing the GDP or other data protection law of the EU or a member state.