18 Nov ART 5 – The Regulation Requires ‘Adequate Technical and Organisational Measures’ under Penalty of Fine
Although the failure to apply “adequate technical and organisational measures” as a mandatory step for ensuring data security required by the General Data Protection Regulation is one of the main reasons underlying sanctions applied by the ANSPDCP, it is important to note that the Regulation does not expressly define this phrase. It is true, however, that providing such a definition is extremely difficult, given the wide variety of practical situations to which it must be applied.
In relation to this reduced level of specificity, Article 24 of the Regulation allows data controllers to choose the measures they will apply to ensure compliance with the conditions imposed by applicable legislation, while requiring them to demonstrate that processing is carried out in accordance with the Regulation.
The intention of the European legislator can nonetheless be inferred, as it uses references throughout the Regulation such as: “effective measures,” “measures aimed at guaranteeing a lawful and fair processing,” “specific and appropriate measures to protect the rights, freedoms, legitimate interests and personal data of natural persons,” “reasonable measures,” “measures to mitigate risks (…) that ensure an appropriate level of security.”
Furthermore, the same legislative act specifies that the measures implemented shall take into account the nature, scope, context and purposes of processing, as well as the risks of varying degrees of probability and severity for the rights and freedoms of data subjects. The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services must be guaranteed; as well as the ability to restore the availability of and access to personal data in a timely manner in the event of a security incident.
In addition, some concrete examples of appropriate measures are provided, including pseudonymisation and encryption of data under Article 32 of the Regulation, minimising the amount of data processed and restricting access to it to specifically authorised persons offering sufficient guarantees, as well as adherence to approved codes of conduct or an approved certification mechanism where possible, to demonstrate compliance with legal requirements.
In light of the above examples of measures, it is recommended to establish internal policies discussed with employee representatives, broken down by type of processing activity, such as: human resources policy, physical access policy, video surveillance policy, data transfer policy, etc. Such policies should be periodically reviewed, tested, evaluated and adapted where appropriate.
Another recommendation concerns restricting access to data, by requiring those involved in data processing to assume a confidentiality obligation (and possibly even stipulating a penalty clause where feasible), clearly indicating which persons will be able to access the data and the purpose of processing by each of them, and selecting collaborators strictly from among those who meet the requirement of having implemented adequate technical and organisational measures internally (also relevant in this context are the provisions of Article 28 of the Regulation, which require the controller to use only processors who provide sufficient guarantees for the implementation of adequate technical and organisational measures).