The General Data Protection Regulation (GDPR) replaced the Data Protection Directive on May 25, 2018. The GDPR contains a number of new protections for EU data subjects, introducing significant fines and other penalties for non-compliance.
Although many of the protections relate to data protection practice, data security does play a larger role in the new Regulation which imposes stricter, more specific, obligations on both data processors and controllers with regard to data security. It also contains some controls and guidelines regarding what happens in the event of a data security breach.
Appropriate technical and organisational measures
While it’s important to remember that this regulation is focussed on data privacy rather than security (and therefore doesn’t give a specific list of security related controls) it does mandate that both controllers and processors are required to:
“implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.