Data Protection Solutions under the GDPR

To secure data from internal and external threats, article 32 of the GDPR, provides the following points to be considered in choosing a data protection solution:

Useful? Embed this infographic on your website.

  • The state of the art refers to the latest technology available;
  • The cost of implementation refers to the price to use such data security. The best solution will not require an unreasonable cost;
  • The nature refers to the nature of the personal data to be processed, in particular, whether special categories of personal data are processed;
  • The scope refers to the subject matter of the processing;
  • The context refers to the specific in which the personal data are processed (factors, conditions, specific industries);
  • The purpose of processing refers to the purpose/s for which the personal data is processed (explicit and legitimate and determined at the time of the collection of the personal data); and,
  • The risk refers to the harm that might result from an improper processing on the data subject’s rights and freedoms.

Furthermore, the GDPR requires that the data protection mechanism chosen ensures the following:

  • Level of Security

The level of security that you require will depend on the data you hold, the way you use it and in particular what is at stake if there is a security breach.

  • Appropriate Technical and Organisational Measures

In assessing the appropriate level of security, the GDPR asserts that shall be taken into account the risk (as above described) in particular from accidental or unlawful; destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

Regarding technical and organisational measures, the GDPR refers the use, among other things as appropriate of:

o    Pseudonymisation, when the data can no longer identify a specific data subject.

o    Encryption, encoding data.

o    The ability to ensure the confidentiality, integrity, availability, and resilience of processing personal data systems and services, incorporation of data protection principles in systems and services.

o    the ability to restore the availability of and access to data in the event of an incident, consolidation of a culture of security and awareness of personal data.

o    Regular tests of the effectiveness of security measures, with the aim to avoid the use of outdated or inefficient measures.

The above is not intended to preclude any other measures of data protection.

  •  Under the Data Controller’s instruction

The GDPR requires that the process of the personal data must be in line with the instructions provided by the controller unless required otherwise by the Union or Member State Law.

In that sense, the Data Processor must provide sufficient guarantees about its security measures to protect the personal data as instructed by the Data Controller. A written contract is necessary for a clear allocation of responsibilities, purpose, means, etc. Advise with your lawyer.

  •  Demonstrate Compliance

In order to establish an effective protection, the GDPR has established powers for monitoring, request to demonstrate compliance and set of sanctions.

In particular, Recital 74 of the GDPR states: “the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures (..)”

Moreover, Recital 77 of the GDPR mentions: “Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood, and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer(…)

In conclusion:

  • The GDPR requires the security of every aspect of the processing of personal data. Internal and external.
  • The data must be protected no matter where it goes, inside or outside the organisational boundaries.
  • There is no “one size fits all” solution to information security. A data protection impact assessment shall be carried out before the data processing activities take place. The data protection solution will vary by the level of security required.

Lawinfographic Sources:

       Art. 32 of the GDPR, Main Recitals: 74 to 84, 94 and 95

       Useful: Data Protection Self-Assessment checklist in areas of information security                    provided by the ICO

       Recommended: Managing information security aimd new threaths, a guide for                  Chief Information Officers

 

5 (100%) 1 vote

2 thoughts on “Data Protection Solutions under the GDPR

  1. Hi Jessica,
    congrats for your blog advocating
    GDPR, well done !
    I’m diving myself on data privacy –
    IAPP certification, after spending
    25+ years dealing with tons of
    sensitive data generating insights
    for health and pharma industry.
    I live in Portugal and I would like
    to start posting same basic thoughts
    / concepts about GDPR implementation
    and roll out. I would like to publish
    your infographics (eventually in
    Portuguese if possible), on my
    LinkedIn page, if you allow?

    Thanks and regards
    Jorge Lemos

    1. Jorge,

      Thank you for your comment. I am really happy to hear it is useful and it’s shedding some light on the topic. Please, feel free to share the infographic in your LikendIn page by using our link: https://www.talacka.com/lawinfographic/

      About the translation, it would only be possible if you could show us an official translation, that can assure us that the meaning of the text has been respected.

      All the best,

Leave a Reply

Your email address will not be published. Required fields are marked *