Technical Measures and Privacy
In the first place, talking about the Technical Measures and Privacy, truth must be told: please, don’t count on this post if you need a comprehensive list of measures to protect the personal data processed in your entity. Consequently, I suggest to follow one of the most important and relevant security frameworks available, like COBIT, ISO 27001 or NIST. Send us an email if you need help. We are your Privacy Manager in Spain, Europe.
So, what this post is about? Primarily, this is a introductory post about the general security concepts your entity needs to have in place.
Technical Measures: the concept of “appropriate“
Since I work in the GDPR jurisdiction, I’d start the brief analysis with the help of the text from the art 32, GDPR. Critically, all the measures to put in place must be appropriate. Easy, isn’t it?
Well, yes… but no. Your company should select the security measures depending of the following parameters:
- firstly, state of the art
- next, the costs of implementation
- then, the nature, scope, context and purposes of processing
- finally, the risk and severity for the rights and freedoms of natural persons
Now things start to have more sense. Incidentally, the art 32 GDPR is also a very strong argument against the blues singers . They usually say: “The GDPR mandates the same security measures for a big multi-national company and for a SME“. Nope: the measures should be appropriate. Therefore, the measures will be different, according to the mentioned parameters.
For instance, the art 32 GDPR also mentions a different parameter to evaluate the appropriateness of the security measures. Actually, they have to (reasonably) ensure a level of security appropriate to the risk related to the processing. As a result, the riskier the processing, the more robust the security. It makes sense, doesn’t it?
Despite the vague definition of the appropriateness, your company can start adopting at least the following measures:
- the pseudonymisation and encryption of personal data
- tools to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- tools to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Additionally, regular testing, assessing and evaluating of the effectiveness of implanted measures must be carried out. Did I mention “regularly“?
Assessing the appropriateness
How do I know if my measures are appropriate? Assess them, taking a close look to the risks presented by the processing. As an illustration, ask yourself the following questions:
- Can we reach our goal with more secure technologies?
- How much do they cost?
- Will they be easy to implement?
- Is there any method to calculate the return of investment?
- Are my employees correctly trained?
- Can you avoid accidental or unlawful destruction, loss or alteration of the information?
- Can you prevent unauthorized disclosure?
- Are the rights to access correctly distributed?
A short list of security measures categories
Again, not a comprehensive list, but still a starting point. Based on the brand-new ISO 27002, you may implement the following technological controls:
- first, privileged access rights
- second, information access restrictions
- then, protection against malware
- next, monitoring activities
- finally, use of cryptography
Do you want know more? Here we are to help you! Call us now!
(Note: if your entity is other jurisdictions, like the US, don’t hesitate to contact us. We have a solution for you).