A controller and processor are entities that process large volumes of data in order to offer certain services to its customer base. Apart from being compliant with the GDPR norms, these entities must also be responsible for the security of the personal data that they process.
Article 32 lists down the various measures that a controller and processor must adopt to ensure that there is no data breach of the personal data. The various factors that must be taken into consideration while implementing security measures are as follows:
- State of the art technology
- Cost of implementation
- The nature and scope of the processing
- The purpose of the processing
- The rights and freedoms of the natural persons
Once these factors have been considered, the following are the measures that the controller and processor can adopt. These are the minimum measures that the GDPR has specifically provided for which are as follows:
- Pseudonymisation of data i.e. personal data can be encrypted so that the data is not easily accessible and the individual cannot be identified.
- Resilient processing systems and services that cannot be tampered with
- The ability to restore the data in the eventuality of an accident
- A process by which the various measures implemented can be checked for its efficacy
Once the controller and processor have enforced all the security measures, an approved code of conduct or certification mechanism can demonstrate that all the requisites of GDPR have been met with. Another important and final point to note is that other than the controller or processor no other individual can process the personal data except on the controller’s instructions or as permitted by Union or Member State law.
In order to keep up with the demands of an ever evolving technological landscape, only the most latest and advanced technology can be utilised to avoid any kind of data breaches. However, an organisation that is small in size may find it difficult to implement these measures and may end up compromising on its data security.
Moreover, the factors that have been listed which are to be used as a foundation to implement the measures are open to interpretation and each entity shall in all probability implement measures that are more suited to its budget discounting the security of the data subjects. The further implementation of GDPR shall help in defining these factors more accurately.
References: