Are the GDPR Recitals Important?

YES! Organisations should be reading the Recitals alongside the Articles to ensure complete compliance with the Regulations. The Recitals provide a mixture of additional information and supporting context, therefore supplementing the Articles.

The information provided in the GDPR Recitals serve to make them more relatable to businesses and provide essential information for effectively implementing the GDPR. An example of how the Recitals support and add to the Articles can be found below.

Article 25 – Data Protection by Design & Default. This GDPR Article relates to the risks posed by processing and the requirement to implement appropriate technical and organisational measures. The Article names pseudonymisation and data minimisation specifically. When read in conjunction with Recitals 78 & 83, additional context and insight is provided and a better understanding gained. Recital 78 states that in order to be able to demonstrate compliance with the GDPR, internal policies must be adopted. The appropriate measures can include: –

• Minimising the processing of personal data.
• Pseudonymising personal data as soon as possible.
• Transparency of processing, enabling the data subject to monitor the data processing.

Recital 83 advises controllers to evaluate the risks of processing and implement measures to mitigate those risks. Such controls can include encryption and ensuring an appropriate level of security and confidentiality. Further Recitals referencing data protection by design and default are 28 & 29, which are specific to pseudonymisation. Also, Recital 77 gives context to the guidelines of risk assessments.