With appropriate technical and organisational measures you must protect the personal data for which you are responsible and ensure processing in accordance with the principles of the GDPR.
The GDPR stipulates the following possibilities to ensure the security of personal data with an adequate level of protection (Article 32 GDPR):
- "the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."
How can you implement these technical and organisational measures?
You can use the following measures to ensure the protection and security of the data:
- Access control: e.g. Access to server rooms only with key or chip card, office rooms secured with alarm
- Integrity: e.g. User authorisations are restricted to tasks (marketing department only newsletter, accounting also HR data)
- Pseudonymisation: e.g. Replacement of user-related data by random codes
- Encryption: e.g. Hard disk encryption or cloud solution with encryption
- Transmission control: e.g. SSL certificate for websites (https: //) to transfer data within forms
- Confidentiality: e.g. password policies
- Recoverability: e.g. backups that are regularly checked for successful recovery
- Evaluation: e.g. annual review of technical and organisational measures on effectiveness and plausibility
Depending on the risk, you must choose the appropriate technical and organisational measures. In the future we will provide further examples here.