Technical and Organisational Measures

GDPR: Reporting Your “Technical and Organisational Security Measures”

You could almost be forgiven in thinking that words/phrases like; ‘pseudonymised’, ‘anonymised’, ‘access control’ or ‘encrypted’ are all that is required when reporting your technical and organisational security measures for Article 30 – Records of Processing Activities.

Almost.

The UK’s ICO themselves provided a sample of what records of processing should look like, and even included examples of content. Their column headed “General description of technical and organisational security measures (if possible)” contains just two examples; “encrypted storage and transfer” and “access controls“. So in the absence of more detailed guidance from any supervisory authority [that I have seen] just what are organisations supposed to do?

First, you need to understand that in Article 32 – Security of Processing, the phrase “technical and organisational security measures” is qualified twice by the one word that makes the whole thing not only clear, but very simple; “Appropriate”.

Article 32(1): “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”.

I’m not going to go into detail about how you define ‘appropriate’, I’ve already done that in GDPR: How Do You Define ‘Appropriate’ Security Measures?, but I am going to provide an example of what this would look like on the only medium that counts; paper.

Continue reading