YES! Organisations should be reading the Recitals alongside the Articles to ensure complete compliance with, and understanding of, the Regulation.
The Recitals provide a mixture of additional information and supporting context, supplementing the Articles and making them more relatable; as well as providing essential information for effectively implementing the GDPR.
Article 25 for example – Data Protection by Design & Default, relates to the risks posed by processing and the requirement to implement appropriate technical and organisational measures (naming pseudonymisation and data minimisation).
When read in conjunction with Recitals 78 & 83, additional context and insight is provided, with Recital 78 stating that in order to be able to demonstrate compliance with the GDPR, internal policies must be adopted and the appropriate measures can include: –
- Minimising the processing of personal data
- Pseudonymising personal data as soon as possible
- Transparency of processing, enabling the data subject to monitor the data processing
Recital 83 advises controllers to evaluate the risks of processing and implement measures to mitigate those risks, such as encryption and ensuring an appropriate level of security, including confidentiality. Recitals 28 & 29 are specific to pseudonymisation, with Recital 77 giving context to the guidelines of risk assessments.