What security measures do I need to put in place as a result of this new law?
Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segregation, encryption, pseudonymization, and anonymization is recommended, and in some cases required, to help protect personal data.
Here are a few suggested measures that organizations can put in place to protect personal data:
- Encryption: Although not required, the law encourages encryption as an effective way to help ensure the security and confidentiality of personal data.
- Pseudonymization: The GDPR encourages organizations to use pseudonymization as a risk-based measure to protect data security and the rights of individuals.
- Anonymization: One step up from pseudonymization, anonymizing data is the most secure way to protect personal data. To be considered truly anonymous, it must be impossible for any individual to be identified from the data by any further processing or by combining data with other information.
- Accountability: Under the GDPR, a data controller is responsible for implementing measures to ensure that the personal data it controls is handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processors, and using the principles of “privacy by design” and “privacy by default.” Additionally, a data controller must be able to demonstrate compliance, including by keeping a record of processing activities and conducting privacy impact assessments.
It is important to note that according to the GDPR, data controllers must report any data breach to their data protection authority as soon as possible, and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects. If there is a high risk of harm, data controllers must report data breaches to the data subjects as soon as possible. Data processors must also notify data controllers of data breaches as soon as possible.