GDPR Technical and organisational measures
In new decision COMMISSION IMPLEMENTING DECISION (EU) 2021/915 from 4 June 2021 in annex III we can read it about Technical and organisational measures ( this is article no. 32 GDPR ). This is first time when we can read it about example this measures, especially types. This is role Controller to choose and find the best measures.
What we can find in this decision?
First important tips is that Controller must an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons. In decision we can find examples of possible measures.
Measures of pseudonymisation and encryption of personal data (is necessary use special appropriate program)
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Measures for user identification and authorisation (access passwords)
Measures for the protection of data during transmission
Measures for the protection of data during storage
Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging
Measures for ensuring system configuration, including default configuration
Measures for internal IT and IT security governance and management
Measures for certification/assurance of processes and products
Measures for ensuring data minimization
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Measures for allowing data portability and ensuring erasure
This is only a very general description of exemplary measures. All Controllers should make this more detailed.