The GDPR refers to having the ‘appropriate technical and organisational measures’ in place 89 times, stressing the importance the Regulation places on such measures. However, when it comes to defining exactly what these measures are, the Regulation is not quite as generous! The GDPR references these measures in areas such as: –
- “a controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures”
- “assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”
- “appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met”
These measures are a requirement for security of processing, preventing breaches, ensuring suitable processors, records of processing activities, privacy by design, a strong foundation for ensuring that rights and freedoms of the data subjects and in many other way; but what are they?