Gdpr and security

Source : European data protection, Law and Practise, second edition 2019. An IAPP Publication.

So, what can data protection professionals do to put their organisations in the best position possible? Where should they look to understand the meaning of ‘appropriate technical and organisational measures’? As well as consulting with their internal security professionals about the nature of the security threats and risks and the nature of the response strategy, they can seek to familiarise themselves with some of the key pieces of readily available learning. Fruitful areas for review include:

• Related pieces of the legislative framework that contain security provisions,

such as the NIS Directive, the ePrivacy Directive, the Cybercrime Directive and the Payment Services Directive No. 2.14

• The output of institutions, such as WP29, the European Data Protection

Supervisor and the European Union Agency for Network and Information Security.

• The output of security centres of excellence, such as the National Cyber

Security Centre in the UK. • Policy frameworks of national governments, such as national cybersecurity plans. • Regulatory policy statements and other guidance issued by the national data protection regulators and by sector regulators. • Decisions in regulatory enforcement actions brought by the national data protection regulators and related regulators. • Decisions of courts and tribunals in related areas. • National and international standards for best practice, such as the ISO 27000 series, the Payment Card Industry Data Security Standard, CBEST and the NIST framework.

• Threat assessment reports and subject ma!er white papers published by IT security companies and security consultants. • The output of relevant professional associations and a'nity groups. There are many operating in the space, such as the Cloud Security Alliance and the

Information Security Forum.

This list is not exhaustive, but it should give the data protection professional a fairly good impression of the range of available resources in determining an appropriate level of security.