Understanding GDPR Technical and Organisational Measures
Although the General Data Protection Regulation (GDPR) has been in place for over four years, some concepts and notions are still a topic of hot discussion and continue to confuse stakeholders. Earlier in our data protection series of articles, we addressed the European regulation of cross-border data transfers. In this article, we will shed some light on data controllers’ obligation to implement appropriate technical and organisational measures when processing personal data.
As envisaged by Article 24 (Responsibility of the controller) of the GDPR, data controllers need to implement appropriate technical and organisational measures to ensure data processing complies with the regulation. Notably, data processors also need to implement such measures when processing personal data on behalf of a controller. These measures must be in place to comply with data protection by design and by default and security obligations.
But what are ‘appropriate technical and organisational measures’? The immediate answer is that GDPR does not provide a clear definition. This, on the one hand, provides some room for flexibility in business choices, but on the other hand, can be confusing from a practical standpoint.
To help you understand what these measures are and how you can put them in place, we will provide you with some examples below.
Technical measures relate to systems and technological aspects of data controllers and processors. These measures may include, as appropriate to your business and activities:
- implementing pseudonymization and encryption of personal data (these are expressly named in the GDPR);
- developing and implementing cybersecurity processes: these should be considered while processing personal data to address hacking and systems’ vulnerabilities and prevent cyberattacks. You may consult an IT department to implement best practices such as anti-virus protection, malware scans, firewall, and software updates;
- having effective backup and disaster recovery processes;
- implementing processes for automated deletion of personal data for systems and physical means (e.g. papers containing personal data);
- setting strong passwords to protect your systems, including separate passwords for documents containing special categories of personal data;
- granting applicable access rights: access should be granted on a “need-to-know” basis and general access should be avoided; and
- developing physical security measures: robust measures for securing access to premises, visitors logs, security lighting and alarms.
These include steps, processes and actions within your organisation to comply with the GDPR. Primarily, includes developing data protection policies for your organisation that will be followed by everyone. However, it is important to note that simply developing and implementing data protection policies is not enough, and the following tools may be also implemented:
- establishing continuing risk assessment of data processing;
- developing information security policies;
- establishing internal allocation of responsibilities regarding data processing;
- developing reporting, due diligence, training and audits strategies and processes; and
- following policies compliance mechanics;
As mentioned above, there is no exhaustive list that you can follow to implement appropriate technical and organisational measures. Despite this, to evaluate which additional or complementary measures are recommended for your organisation, you can consider the following criteria:
- nature (consider what type of data you process);
- scope (assess the volume of data and overall amount of data subjects);
- context and purpose;
- risks of varying likelihood and severity for the individuals rights and freedoms;
Additionally, in case of data protection by design and by default and security obligations:
- look at the state of the art (best industry practices);
- evaluate the cost of implementation.
Further, carrying out a risk assessment of your data processing activities is vital. In case of a higher risk, you will be required to implement more sophisticated measures. Your degree of responsibility in implementing those measures is a valuable criterion to be considered by data protection authorities in case of imposition of a fine which may reach €20 million or 4% of your annual global turnover, whichever is greater.
Implementing technical and organisational measures is a key step in ensuring GDPR compliance. Non-compliance can lead to the highest level of fines and other sanctions. If you want to understand whether your company is following the rules, contact our data protection expert, schedule a 20-minute consultation, and we will help you with this and other issues.