Data protection regulation refers numerous times to ‘technical and organisational measures’. These relate to the measures which an organisation is taking to protect personal data and in all cases should take into account; state of the art, cost of implementation and the scope, nature and purposes of the processing. In other words, an organisation should assess their risks and put appropriate measures in place based upon what is available and what is practical. Although not exhaustive, this article provides an overview of the types of measures which might be put in place.
Technical Measures
Technical measures refer to any additional protection which can be placed around personal data through a technical solution, these may include:
- Firewalls to protect the organisations network
- Technical security such as string user access protocols
- Encryption of data whilst it is in transit (SSL websites etc)
- Encryption of data whilst it is at rest (Laptop encryption etc)
- Penetration testing, to identify vulnerabilities of networks
- Implementation of standards such as Cyber Essentials or ISO27001
Organisational Measures
Organisational measures refer to any additional protection which can be placed around personal data through an operational solution, these may include:
- Clearly define policy, understood by all colleagues
- Physical security of the organisations building
- Minimisation of data collection as part of business process
- Anonymisation or pseudonymisation of personal data
- Regular staff awareness training
- Data retention schedules
- Procedure to ensure data subject’s rights are implemented