The Regulation does not establish a list of the security measures to be applied according to the types of data which are being processed, but states that the controller and processor should apply adequate technical and organisational measures to ensure a level of security appropriate to the risk involved in the processing. This means an analysis must be made of the risk inherent in each processing operation, in order to determine the security measures to be implemented.
The Regulation requires the controller and processor to assess the level of risk associated with the data processing they intend to conduct and, on the basis of this assessment, determine the security measures to be applied in each case.
The risks must be specified and the most appropriate security measures for each decided upon.
The following action should be taken:
- determine the context in which the processing activities are taking place;
- identify risk situations;
- analyse the risks;
- evaluate them;
- address them through measures that minimise the likelihood and severity of the risk deriving from the processing operations;
- review the risks.
The model of information security best practices to be used should be chosen, with a view to specifying the measures to be adopted.
In the case of the public sector, the First Additional Provision of the LOPDGDD establishes the following: “the National Security Framework (ENS) will include the measures that shall be implemented in the case of processing data of a personal nature, to avoid its loss, alteration or unauthorised access, adapting risk determination criteria in processing the data to that established in Article 32 of Regulation (EU) 2016/679.”