The GDPR requires that personal data be processed in a way that ensures its security.  The nature of the security and the steps taken must be ‘appropriate’ given the level of the risk.

What is deemed as an appropriate level of security will naturally vary from organisation to organisation, as will the technical or organisational measures taken. The regulation specifies that consideration should be given to the nature, scope, context and purpose of the data processed, along with the costs of implementing the protection and the’ state of the art’ available when setting the appropriate levels of security.

Some of the security measures suggested by the GDPR, subject to the appropriateness test, include:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

It is interesting, if we just consider the first bullet point above, even though pseudonymised data is still considered personal data and subject to the GDPR’s personal data requirements, its use is recognised as a ‘designed’  means to reduce risk for the data subjects concerned. Also, if there is a breach, data subjects may not need to be notified, if the key that allows decrypting was not compromised.

When considering the level of security needed when processing data, an organisation should also take into account the risks they face for example from: accidental or unlawful destruction; unauthorised disclosure or access to personal data and; accidental loss or alteration.

The data controller and processor also have a responsibility to ensure that any person acting under their authority and that has access to personal data, does not process that data unless they have specific instructions to do so.

To show compliance with the requirements set out above, an organisation can adhere to an approved code of conduct or certification mechanism.  The details of these methods of compliance are found in article 40 and 42 of the GDPR. Associations and other bodies representing categories of controllers or processors can prepare these codes of conduct and the certification bodies must be approved by the supervisory authority of the relevant member state.

These supervisory authorities should encourage the drawing up of these codes of conduct, as they are intended to contribute to the proper application of the GDPR.  These codes of conduct will also be actively promoted by the Commission and also made available publicly.

From a business perspective, seeking to be certified as compliant, would go a long way to demonstrating an organisation’s commitment to the GDPR.

Next month we will be providing insight into the International Transfers aspects of the GDPR. If you would like to discuss the GDPR further please get in contact with us via: