The security measures provided for by the GDPR are among the requirements to reduce the risks deriving from the processing of personal data. Let’s see in detail the new rules introduced by the European Privacy Regulation and some practical examples.
What are the security measures?
The security measures are practical technical and organizational to ensure the security of personal data to be taken by those who process data. The tools that guarantee the protection and correct storage of data (eg data encryption) are technical security measures. Organizational security measures are the activities and obligations carried out to ensure the application of the GDPR and the reduction of risks deriving from the processing of data (e.g. adherence to a code of conduct or the use of an access certification mechanism).
The security measures provided for by the GDPR must be adopted by the data controller and the data processor in a manner appropriate to the specific case. There is no list of measures to be taken, however, the European GDPR Regulation provides for the following security measures by way of example:
- encryption and pseudonymization: for example, the use of algorithms for encrypting saved data and anonymizing data to ensure confidentiality
- confidentiality guarantee: for example, with access restriction, access monitoring, firewall, password, and secure credentials
- guarantee of integrity, availability, resilience and timely recovery: for example, the adoption of backup mechanisms or particular types of data storage (redundant storage)
- verification procedures to test the effectiveness of the measures taken: for example, independent audits to verify and control privacy compliance
The rules on security measures introduced by the GDPR are also useful for minimizing the damage and risks deriving from a breach of personal data. In fact, if a security breach occurs, data can be destroyed, disclosed or stolen in an unauthorized way. In these cases, the data controller must document all violations and in the most serious cases notify the violation to the Guarantor for the protection of personal data (eg in the event of identity theft or damage to the reputation of the data subject).
If the Privacy Guarantor detects a violation of the GDPR regarding security measures, it can prescribe corrective measures and economic sanctions. These penalties can reach up to € 10 million or up to 2% of the total annual worldwide turnover. This is why it is very important to take all appropriate security measures for the processing of personal data.
Minimum security measures
The Italian Privacy Code provided for some ” minimum security measures ” to be adopted. With the GDPR Regulation, this approach has been eliminated, embracing the concept of an open and non-exhaustive list of security measures. Our privacy code has therefore eliminated the minimum measures previously envisaged.
With the new approach, the security measures must be adequate and proportionate to the level of risk associated with the processing of personal data. For this, a risk analysis related to the specific case is necessary. Those who process data must make tailor-made operational and management choices and must be able to demonstrate that data processing complies with the GDPR (principle of accountability). Furthermore, the nature, context and purpose of the processing must be taken into account in the choice of security measures.
A practical example may be the processing of genetic data which may require both technical security measures for encrypting information and data transmission and dedicated organizational security measures for the custody of genetic data such as a specific procedure for identifying and limiting access to the premises. where the data is stored.