Contact
The GDPR does not establish a list of security measures based on basic, medium and high security levels, as the Data Protection Law Regulations did. It is up to the controller and the processor, after a risk assessment, to determine what security measures need to be implemented in each circumstance.
In any case, appropriate technical and organisational security measures must be established to ensure an adequate level of protection against risk. The measures provided for in the LOPD implementing regulation that are already in place may be useful, but it should be analysed in each case whether they are sufficient or need to be modified.
In the case of public sector entities, it should be borne in mind that additional provision 1 of the LOPDGDD states that the entities listed in Article 77.1 of said law must comply with the security measures required by the National Security Framework (ENS). In accordance with section 1 of this additional provision, the ENS must take into account the risk of the processing of personal data in accordance with the GDPR.
In accordance with the principle of transparency and the applicable personal data protection regulations, the information included in a privacy policy must be provided in all the languages used on the website.
From the moment a product, service or application is designed that involves the processing of personal data, the controller must adopt the organisational and technical measures to integrate within the processing, product or service guarantees that ensure compliance with the principles of the GDPR.
These measures may consist of minimising the processing of personal data. Pseudonymising personal data as soon as possible and ensuring transparency with regard to the functions and processing of personal data allow data subjects to monitor the processing, and allow the controller to create and improve security features.
For more details on this subject, see Guidelines 4/2019 of the European Data Protection Board on Article 25 of the GDPR, on Data Protection by Design and by Default.
Yes, Article 32 on security of processing takes a risk-based approach. It states, for example, that technical and organisational measures must be implemented to ensure a level of security appropriate to the risk; in particular, risk associated with the loss, destruction, access, alteration and unauthorised disclosure of data.
It could be said that a risk analysis is the minimum action required when an impact assessment is not mandatory.
There are many ways to perform a risk analysis. In the simplest of these, the analyst is responsible for identifying and assigning a level to each risk, but this method produces a very subjective result. Other risk analysis methods seek to give an accurate estimate that is less dependent on the subjective opinion of the analyst.
Standard ISO/IEC 27005 may be useful in understanding the variety of methods. This standard does not describe a specific method, but reviews the various phases in risk management and presents different ways of implementing these phases. For example, an essential difference between methods may be whether they offer a qualitative or quantitative approach: qualitative methods tend to be less complex and less expensive to carry out and can be good to provide an initial estimate.
In terms of specific methods, there are many: OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), FAIR (Factor Analysis of Information Risk), NIST RMF (National Institute of Standards and Technology's Risk Management Framework), MAGERIT (Methodology for Information Systems Risk Analysis and Management), or this one (link to https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing) proposed by ENISA for SMEs.
In accordance with additional provision 1 of the LOPDGDD, the National Security Framework (ENS) determines the security measures that must be implemented to protect personal data in public sector entities (those listed in Article 77.1 of the LOPDGDD) and other agents who provide processing services. Although the ENS only requires the use of an internationally recognised risk analysis method (without mentioning any specific ones), MAGERIT has been developed with the aim of facilitating the implementation of risk analyses.
Regardless of the methodology used, it should be noted that in the assessment of risks to the rights and freedoms of individuals, an analysis is required from the point of view of the data subjects; that is, it must be borne in mind that a risk that could be assumed from the point of view of an organisation might have a very high impact on a particular individual.