GDPR – Up-date on October 2019

It's been over a year since the GDPR became applicable. During this period extended "actions" of compliance were observed both at the legislative level, in the sectors directly concerned and especially at the level of conduct of personal data operators, which had to reconsider their entire activity in relation to the GDPR.

In light of the sanctions recently applied at national level by the National Supervisory Authority for Personal Data Processing, there is further stressed the seriousness with which the issue of personal data protection must be treated.

As far as you are concerned, do you consider your organization to be GDPR compliant? Can you state with certainty that your organization has an adequate level of security for protecting personal data against threats and vulnerabilities?

1. From our point of view, a first step in establishing the level of security within an organization, is to clearly define what security should mean for a specific organization.

The security of an organization implies first and foremost:

  • physical security;

  • personnel security;

  • procedural security;

  • documents security;

  • industrial security;

  • legal security and above all, computer security (with its two components: COMSEC and COMPUSEC).

The required level of security must be further determined in relation to the size of the organization, the size of the flow of personal data processed, the threats and vulnerabilities detected, which represent in fact the risks to which the processing of personal data that take place within the organization is exposed.

Threats can be internal, deliberate or undeliberate, technical, procedural or human, but also external, for example from competing organizations or hackers.

2. It is thus recommended that technical and organizational measures to be implemented, depending on the level of risk of the processing, specific to the field of activity carried out by the organization, in order to protect personal data against: accidental and illegal destruction, loss, modification, disclosure, unauthorized access, illegal processing.

Several protection measures may consist in:

  • pseudonymization and encryption of personal data;

  • determining the imperative data needed to be processed and reducing to a minimum the necessary data processing operations and exclusively processing the necessary imperative data;

  • ensuring confidentiality, integrity, availability and continuous resistance of processing systems and services;

  • restoring the availability of personal data and quick access to them in the event of an incident, testing, periodically evaluating the effectiveness of the technical and organizational measures.

The development and implementation of security policies tailored to the specific activities of the respective organization, plays an important role in achieving the purpose of the GDPR.

In the area of personal data protection, neglecting a single measure may create an unwanted snowball effect; for example, the inaccurate documentation of the security procedures and of the technical and organizational measures, may lead to the impossibility of finding a security breach, security breach that should be notified to the Supervisory Authority within no more than 72 hours from the moment when the organization was aware of it.

Last but not least, within an organization, a crucial role from the point of view of the GDPR is held by the data protection officer (DPO), who is in fact the security manager of the company and to whom we will assign a future article separately, given its importance and the complexity of the tasks with which he is in charge.

Finally, what is essential, is that security must not only be implemented, but such must be practiced. This implies that once the security policies are documented and established, they must be periodically monitored and reviewed, adapted to the reality of the organization.

Yours sincerely,
Almaj, Iordache SCA