In June 2020, the State Data Protection Inspectorate updated and published the third version of the “guidelines on security measures of personal data and risks assessment for processors and controllers” (guidelines).
The provided information into the guidelines can be used from organizations that manage and/or process personal data (controllers and processors) during their data processing activities. The guidelines will help to assess risks important for personal data risks security and for the activation of the adequate security measures. Guidelines are designed to help processors and controllers, in particular small and medium companies, but can be also used by other organization non-governmental, the public sector or the big companies), depending on the specific activities done.
We notice that the organization must take into account the nature, the scope, the context and the aim of the personal data process according to risks associated with threats, rights and freedom of people when they design (implement) or evaluate existing organizational and technical security measures. Articles 24 and 32 of BDAR oblige organisations to carry out a risk assessment in all cases.
These guidelines are based on recommendations from ENISA, legislation ISO LST ISO / IEC 27001: 2017 e LST ISO / IEC 27002: 2017. This third guidelines version was integrated in 2019. Standard ISO ISO / IEC 27701: 2019 “Security methods – Supplement to ISO / IEC 27001 e ISO / IEC 27002 on privacy management – requirements and guidelines”.
All measures listed in these guidelines are accompanied by a reference to the relevant requirements of the LST ISO/IEC 27001:2011 information management standard and additional privacy requirements in accordance with ISO/IEC 27701: 2019. The clarifications are in line with the General Data Protection Regulation.
We note that ISO standards are based on managing an organization’s risks and that the protection of personal data is seen as part of an organization’s security, while the General Data Protection Regulation is only a component of personal data protection and risks are assessed in terms of human rights and freedom. In addition, some of the terms used in the General Data Protection Regulation and in ISO/IEC 27701: 2019 differ, there are slight differences between definitions of these terms. Term matches:
| General Data Protection Regulation | Standard ISO / IEC 27701: 2019 |
|---|---|
|
Personal Data |
Personally identifiable information (Ing. Personal identification information (PII)) |
|
The Data Controller |
Controller of personal information |
|
The Data Processor (Ing. Data Processor) |
Processor of personal information |
|
The Data Subject |
Data Subject |
| Data protection by design |
Privacy by desing |
|
Standardised data protection by default |
Privacy by default |