Security is an essential part of the protection of personal data. It is binding on any data controller and data processor through Article 32 of the General Data Protection Regulation1 (GDPR). In principle, each processing operation must be subjected to a set of security measures decided according to the context, namely “useful precautions, having regard to the nature of the data and the risks presented by the processing” (Article 121 of the French Data Protection Act2 ). The GDPR specifies that the protection of personal data requires taking “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” for the rights and freedoms of natural persons, including their privacy.
To assess the measures to be put in place, two complementary approaches are to be deployed:
– the establishment of a security base incorporating good practices resulting from years of capitalising on hygiene and IT security (e.g.: regulations, standards, guides). This base aims to address the most common risks;
– the risk analysis3 for the persons concerned by the processing, which aims to identify and assess the risks specific to the treatment. Such an analysis supports objective decision-making on the treatment of these risks and the identification of necessary and context-appropriate measures.
However, it is difficult for non-specialists in IT security to implement such an approach and to ensure that the level of security of the processing for which they are responsible is sufficient.
To help with compliance, this guide presents a set of recommendations grouped by thematic factsheets. Each factsheet is structured in three sections:
– basic precautions, which incorporate essential good practices;
– bad trend practices, which should be avoided;
– additional measures, to go further
Views: 12
