About security of the processing

By | Sunday June 14th, 2015

The Amendment 124, Proposal for a regulation, Article 30 states:

1.  The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing, taking into account the results of a data protection impact assessment (…), having regard to the state of the art and the costs of their implementation.”

There are many interesting elements in my understanding (in italic my highlights and proposed discussion topics):

  • The security measures must be appropriate to the risks (the appropriateness is judged by them, in which cases, until when?)
  • The controller and processor shall (jointly and both of them?) take into account the results of a DP Impact Assessment (that shall be done)
  • Considering the state of the art (that means that a set of security measures adequate today might not be anymore adequate tomorrow)
  • and also considering the costs of their implementation…

The latter point is the most interesting. Does this mean that is possible not to adopt all the security measures suggested by the risk and DP Impact Analysis if these cost too much for a company?

Category: Impact, Risk and Measures Tags: , , ,

About Alessandro Vallega

He is Security Business Development Director for Oracle EMEA. He has the responsibility to lead a cross functional team on the GDPR (General Data Protection Regulation, EU 679/2016) at EMEA level (marketing, legal, sales, training, technology). He founded and coordinates an external blog on the same topic (https://europrivacy.info). He has defined a European methodology to evaluate the database security degree of a data center and the advantages of identity and access management technology. He founded in 2007 the Oracle Community for Security, and in that context led the creation of several publications about security and privacy in the cloud, with mobile, in the social media, in healthcare, on return on security investments, about the role of the CISO, and how to prevent frauds. He is an author of the Italian annual ICT Security Report by CLUSIT and he is part of the CLUSIT board of directors.

Leave a Reply