Article 30 1. g) of the RGPD requires the register to include "as far as possible, a general description of the technical and organisational security measures referred to in Article 32(1)".
Each controller or processor has an obligation under Articles 5 1. f) and 32 of the GDPR to ensure data security by means of measures appropriate to the level of risk.
What are security measures?
These are all necessary measures to ensure the security and confidentiality of personal data.
For example, these may be physical security measures such as security of access to premises, or informatic security measures such as the installation of an anti-virus system, a binding password for data access, etc.
For each processing of personal data, it is necessary to take appropriate measures to ensure a level of security appropriate to the risk to the rights and freedoms of the persons concerned (invasion of privacy, discrimination, etc.).
**The risk should not be assessed in relation to the company, but in relation to the data subject.
Guaranteeing security means guaranteeing :
- confidentiality,
- integrity
- and availability of data.
Security measures must therefore prevent illegitimate access to data, the unwanted modification of data and the disappearance of data.
To ensure that the measures are appropriate to the risk, these risks must be assessed. To do this, it is necessary to identify the potential impact on data security, the sources of the risks, the possible threats and to assess whether the existing measures are sufficient. If not, they need to be increased.