Appropriate Technical & Organisational Measures
The GDPR refers to the ‘appropriate technical and organisational measures’ 92 times! This alone emphasises the importance of having these measures in place. But what are they? Unfortunately, the Regulation doesn’t go into any detail about these measures and what exactly they are. Hence the creation of this article.
The GDPR references these measures in areas such as: –
- “A controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures“.
- “Assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.
- “Appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met”.
These measures are a requirement for the security of processing. They’re development and integration into your data protection framework aims to prevent breaches and ensure privacy by design. Simply put, technical and organisational measures are the functions, processes, controls, systems and procedures used and taken to protect and secure the personal information that you process.
Recital 78 states: –
“Appropriate technical and organisational measures [should] be taken to ensure the requirements of [the] Regulation are met. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.”
How Do I Identify Relevant Technical & Organisational Measures?
The technical and organisation measures you take to comply with the GDPR are largely dependant on the size, scope and activities of your business. You will also need to consider the type of personal data being processed as well as the volume. The scope of possible measures is extensive. It spans vulnerability scans and risk management, through to firewalls and third-party due diligence.
The best place to start by carrying out a risk assessment on all processing activities and information systems. This can be done using your existing information audit so that you encompass all personal data and where it flows to and from. Your aim is to identify gaps, vulnerabilities and weaknesses in any area where personal data is processed. Thus enabling you to develop controls and tools to mitigate the risk, which equates to your technical and organisational measures.
IDENTIFY ⇒ ASSESS ⇒ MITIGATE ⇒ COMPLY
Examples of GDPR Organisational Measures
Think of your GDPR organisational measures as any steps, actions or controls that you can take to comply with the data protection rules and protect personal data. The below list is not exhaustive; however, it does provide some examples of the types of GDPR measures classified as ‘organisational’.
- Information Security Policies – Scope and content will depend on the size of the organisation and type of processing activities. Smaller firms may only require a standard information security policy. However, larger or more complex businesses will need policies in specific areas such as remote access, asset management and password controls
- Business Continuity – regardless of size, all organisations should have a Business Continuity Plan. Measures for protecting personal data and upholding the GDPR principles are at the heart of any effective disaster recovery program. How is data secured, accessed, recovered and maintained the even of an incident?
- Risk Assessment – Assess high risk data and processing activities and developing mitigating solutions to prevent or reduce risks. Often a Data Protection Impact Assessment is a mandatory requirement if the processing is high risk.
- Policies and Procedures – Ensure that you have effective and compliant data protection policies and procedures in place. These should be readily available to employees as a form of guidance and support. Documenting your GDPR obligations, objectives and controls is one of the key organisational measures.
- Management Information & Reporting – Regular reporting and management information provides invaluable information. It should include data protection risks, mitigating measures and requirements to form effective technical and organisational measures. They also inform decisions on funding and resources which are vital for accountability at all levels.
- Awareness & Training – A culture of security and data protection awareness is the foundation of any business with GDPR responsibilities. Ensuring that employees, contractors and visitors understand what your data protection obligations are will help to maintain compliance. Signposting is a user-friendly way of reminding people of the GDPR obligations. Regular and ongoing training sessions inform, guide and support.
- Reviews & Audits – You may have all of the policies, controls and measures in place, but how do you know they are effective? Reviewing and auditing functions, activities and systems is mandatory for most businesses. You should be able to evidence that your policies and controls are fit for purpose. Completing a GDPR self assessment on a regular basis can help to review the key compliance areas and identify any gaps before they become a breach.
- Due Diligence – Who you form business relationships with is just as important as the steps you take to comply with the GDPR. Do you know who your employees are and what their background is? Are your suppliers as compliant with the data protection laws as you are? There is little point putting extensive security and data protection measures into place if you are going to pass data to a third-party who cannot guarantee its safety or protection.
Usually defined as the measures and controls afforded to systems and technological aspects of an organisation. These include devices, networks and hardware. Protecting such aspects is vital to data security, but goes above securing access to devices and systems.
The points on the right are just a few of the areas that could be considered as ‘technical measures’ and are by no means exhaustive…
- Building Security – Robust measures and protocols for securing access to any office or building is ‘security 101’! Make sure that all employees are aware of the controls and requirements. Measures can include: –
- Security lighting and alarms.
- Visitor logs and ID badges.
- Use of biometric locks.
- Restricted access protocols.
- Disposal – Ensure adequate and compliant disposal of paperwork and devices. There should also be protocols for any device that is used outside the workplace or is lost. Shredding and certified disposal of hard-copy records is essential where personal data concerned. IT departments or knowledgable persons should be in charge of IT disposal to guarantee effective and complete erasure of any personal data or access.
- Cyber Security – An extensive area that requires its own cyber security article due to today’s technology lending itself to advanced forms of hacking, vulnerabilities and constantly evolving threats. At the most basic level cyber security involves firewalls, malware scans, anti-virus protection, patches and updates.
- Passwords – It should go without saying that forcing strong passwords is essential. Likewise, regular prompts to change passwords for users is best practice. Employees should be reminded not to share passwords and consideration must be given to new devices, hardware and applications that often come with ‘default’ logins and passwords.
- The ICO have greatly increased their ‘Security’ guidance in relation to the GDPR, and now offer suggestions and measures that should be included in your technical and organisational controls – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security
- The ICO also recommend adhering to frameworks such as the governments Cyber Essentials – https://www.cyberessentials.ncsc.gov.uk
- In additional to our many GDPR packages, we also include an extensive Information Security Policy set in our GDPR Toolkit or available as a standalone pack – https://www.knowyourcompliance.com/product-category/gdpr
Updated from an article originally posted in June 2020.