By Elias Vallejo, teacher "Data protection and information systems audits" in it master in Compliance & Data Protection Management of the EIP International Business School wanted to share with us a study analyzing the different risks mentioned in the RGPD.
Different risk analyzes in the GDPR
The teacher Elias Vallejo comments that the idea of carrying out a risk analysis in the RGPD is present in 3 cases.
- 24.- Responsibility of the Data Controller and Art. 35 Data Protection Impact Assessments
- 32.- Security of Treatment
- 25.- Data protection from design and by default
In the first post of our Blog Specialists in Data Protection & Regulatory Compliance Professor Elias Vallejo spoke to us about Art. 24, Responsibility of the Data Controller and Art. 35, Data Protection Impact Assessments.
In this second post, he presents a risk analysis in the case of art. 32, Safety of Treatment.
We leave you the words of Elías Vallejo,
Art. 32.- Security of Treatment
Whether Article 24 of the GDPR must take into account the nature, scope, context and purposes of the processing; In this article, apart from these elements, the state of the art and application costs; all related to risks of varying probability and severity for the rights and freedoms of natural persons
To this end, appropriate technical and organizational measures will be applied to ensure a level of security appropriate to the riskThat is, we must now limit ourselves to security measures.
Although the article mentions that aspects such as pseudonymization and encryption of personal data should be included; the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident, the permanent resilience of processing systems and services, the accidental or unlawful destruction, loss or alteration of personal data transmitted, preserved or otherwise processed, or unauthorized communication or access to said data.
The focus of any information (including personal data) security risk analysis should be the ability to ensure the confidentiality, integrity, availability of treatment systems and services, as also contemplated in said article.
National Security Scheme
I will not be the one to develop this point. There are various catalogs of threats (ENS; ISO 27000, Gestiona, etc.) that must be considered and developed by technicians.
It is important to highlight at this point that if the organization is obliged to the ENS, that will be its frame of reference or, if the organization wants to voluntarily certify itself by ISO 27000, its 114 controls will be applied to it.
However, not all organizations are obliged to the ENS or have a budget for ISO 27000, which means that catalogs of threats that affect the security of treatments must be developed. Two types of catalogs should be established in these cases: one for a large organization and another for a small organization, since the level of demand cannot and should not be the same.
I also want to emphasize that this article 32 mentions that ensure permanent resilience of treatment systems and services, so although we are not going to implement a ISO 22301 (since it is not within the scope, unless requested by the client), measures in this regard must be taken into account.
Do you want to specialize in Compliance Management and data protection?
He Master in Compliance & Data Protection Management will make you a highly qualified professional with the necessary skills to carry out specialized tasks in two of the most relevant areas for both private businesses as for public administrations: data protection and regulatory compliance or Compliance.
1 thought on “Análisis de riesgos en el RGPD: Art. 32”