GDPR: adequate security measures and awareness

The GDPR requires that both controllers and processors implement adequate security measures in order to protect the processed personal data. The word ‘adequate’ seems vague and open to interpretation to most.

For security experts however, it is clear that ’adequate meausures’ means that risk based security control measures should be implemented. These have to be based on internationally recognised security standards, such as ISO2700x, NIST and ISF. These standards provide enough guidelines for security experts to objectively implement an Information Security Management System (ISMS) within organisations. A well implemented ISMS contains a sustained improvement cycle which allows for continuous progress of security controls that keep providing the necessary adequate protection of personal data when the security landscape changes.

And it will change over time…

The GDPR is even more vague when it comes to awareness requirements for controllers and processors. The GDPR only mentions – in article 39 on the tasks of the Data Protection Officer -, that the DPO has the task of raising privacy awareness and training staff.
I would argue that this means that the DPO must ensure sufficient privacy and information security awareness, which is a basic requirement in every ISMS, as one cannot guarantee adequate security without adequate awareness .
Adequate awareness means that at least every department of an organisation has the necessary information on the privacy legislation and information security aspects relevant to their function in order to prevent and/or detect unauthorised data processing activities or data breaches. The required privacy and information security knowledge depends on the operational activities of the different organisational departments and roles.

In my next blog, I will give some tips for reaching awareness compliance.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *