What are the data security requirements under EU Law?
Key points:
DATA PROTECTION LAW REQUIREMENTS: A key principle of the EU Data Protection Law is that personal data must be secured by means of ‘appropriate technical and organizational measures’ — (this is the ‘security principle’ under GDPR). This requires organizations to consider things like risk analysis, organizational policies, and physical and technical measures.
(1) Organizations must consider the state of the art and costs of implementation when deciding what measures to take .
(2) Security measures must ensure the ‘confidentiality, integrity and availability’ of the systems and services and the personal data processed within them.
(3) The measures must also enable organizations to restore access and availability in a timely manner in the event of a physical or technical incident.
(4) Ultimately, the measures must be appropriate both to the specific circumstances of the organization and the risk that the processing poses.
(5) Where appropriate, organizations should look to use measures such as pseudonymisation and encryption.
(6) Organizations need to ensure that they have appropriate processes in place to test the effectiveness of their measures, and undertake any required improvements.
