EU GDPR Security of Processing

EU GDPR Security of Processing – how to address these

The EU GDPR Security of Processing requirements are contained in Article 32 of the regulations and are provided below:

  1. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
    • the pseudonymisation and encryption of personal data;
    • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
  3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
  4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

EU GDPR Security of Processing – appropriate technical and organisational measures

So what are appropriate technical and organisational EU GDPR Security of Processing measures? How do you ensure a level of security appropriate to the risk and what measures do organisations implement to satisfy these requirements?

The most widely accepted Information Security measures are found in the ISO27000 series of standards, in particular in ISO27001 – the standard for an Information Security Management System (ISMS).   The significance of this standard is that preparing for implementing this standard starts with a Risk Assessment which will highlight the information risks to which an organisation is exposed.  Risk Treatment plans should then be developed for managing the identified risks.  The importance of the Risk Assessment and Risk Treatment plan process is that they enable organisations to demonstrate that thei security measures they have implemented  are appropriate to their risks.

Cyber security measures as contained in the UK Government’s Cyber security scheme and the NIST (US National Institute of Standards and Technology) Cyber Security framework will also constitute appropriate technical and organisational measures to a large extent.

For practical reasons, we have provided a free Cyber Security Assessment based on the UK Government’s Assessment in our product set. We have also provided a 20 Question Cyber Security Assessment, simplified but based on this, for you to carry out your own free online assessment.  Click here to access the 20 Question Cyber Security Assessment.

While we have based the Security Assessment on the above, we are experienced  in ISO27001/2 from a broader Information Security Management perspective and will make a similar assessment available on this site soon.

Please contact us for more information about our approach to assisting organisations to establish reasonable organisational and technical measures for EU GDPR Security of Processing compliance.