Step 7. Review Data Processing Procedures

7. Review Data Processing Procedures – GDPR consultant 12 step guide to GDPR compliance

It is vital to review your data processing procedures to ensure GDPR compliance. You must have a legal basis for processing data and be able to provide your supervisory authority with proof. Document everything you do. Consider information security frameworks like Cyber Essentials.

Data security plays a prominent role in the new GDPR, reflecting its symbiotic relationship with modern comprehensive privacy regimes. The GDPR imposes stricter obligations on data processors and controllers regarding data security, while simultaneously offering more guidance on appropriate security standards. The GDPR also adopts the first-time specific breach notification guidelines.

Security of Data Processing Standards

The GDRP separates responsibilities and duties of data controllers and data processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to protect data subjects’ rights and meet the GDPR’s requirements. Processors must take all measures required by Article 32, which delineates the GDPR’s “security of processing” standards.

Article 32, similarly to the Directive’s Article 17, states that data controllers and data processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”

Unlike the Directive, however, the GDPR provides specific suggestions for the kinds of security actions that might be considered “appropriate to the risk,” including:

  • The pseudonymisation and encryption of personal data.

  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

  • Controllers and processors that adhere to either an approved code of conduct or an approved certification mechanism (e.g. ISO27001, NIST, CIS, Cyber Essentials) — as described in Article 40 and Article 42 — may use these tools to demonstrate compliance with the GDPR’s security standards.

Data controllers and processors may consider the Recitals for additional guidance on security standards. Recitals 49 and 71, allow for processing of personal data in ways that may otherwise be improper, when it is necessary to ensure network security and reliability.