Executive Summary
The General Data Protection Regulation (EU) 679/2016 (‘GDPR‘) will be, as of 25 May 2018, the main data protection legal framework in EU directly applicable to all Member States, repealing the current Data Protection Directive 95/46/EC. Currently, businesses in the EU have to deal with 28 different data protection laws. This fragmentation is a costly administrative burden that makes it harder for many companies, particularly SMEs, to access new markets.
One of the core obligations for all businesses, including SMEs, acting either as data controllers or data processors, in GDPR is that of the security of personal data. In particular, according to GDPR security equally covers confidentiality, integrity and availability and should be considered following a risk-based approach: the higher the risk, the more rigorous the measures that the controller or the processor needs to take (in order to manage the risk). Even if this risk-based approach is not a new concept only a few specific privacy risk assessment frameworks have been presented, focusing principally on the evaluation of risks to personal data and adoption of relevant security measures.
On this basis and as part of its continuous support on EU policy implementation, ENISA published in 2016 a set of guidelines for SMEs , acting as data controllers or processors, which aim at helping them assess security risks and accordingly adopt security measures for the protection of personal data. Those guidelines can also be of use in all cases where risk assessment is envisaged under the Regulation (e.g. Data Protection Impact Assessment, personal data breach notification, etc).
Within 2017 the Agency continued its activities in the area and focused on providing further guidance on the application of the aforementioned guidelines through specific uses cases. In close collaboration with experts from national Data Protection Authorities, each use case corresponds to a specific personal data processing operation and makes specific assumptions on the data processing environment and overall context of processing. The provided examples however focus only on security measures and do not aim at providing any legal analysis or assessment of compliance with GDPR for the specific data processing operations. While performing the analysis, a number of conclusions and relevant recommendations, targeted at different stakeholders, were drawn and are presented below.
- Competent EU bodies, EU policy makers and regulators (e.g. Data Protection Authorities) should develop practical and scalable guidelines that will be able to support and assist different types of data controllers and address specific stakeholders’ communities.
- Competent EU bodies, EU policy makers and regulators (e.g. Data Protection Authorities) should promulgate a set of baseline professional skills and requirements that Data Protection Officiers’ should meet.
- EU policy makers and regulators (e.g. Data Protection Authorities) should define and promote scalable data protection certification schemes, that meet the needs of SMEs and empower them to achieve and demonstrate compliance.
- The research community and competent EU bodies, in close collaboration with regulators (e.g. Data Protection Authorities), should propose and put forward methodologies that combine security risk management and risk management of personal data.
- SME communities and associations, in close collaboration with competent EU bodies and regulators (e.g. Data Protection Authorities), should communicate and encourage data controllers to undertake actions towards security and privacy compliance as a competitive advantage alongside the underlying legal obligations.
[tnc-pdf-viewer-iframe file=”https://www.mmc.ge.it/main/wp-content/uploads/2018/09/GDPR-Measures-Handbook.pdf” width=”800″ height=”1090″ download=”false” print=”false” fullscreen=”true” share=”false” zoom=”true” open=”false” pagenav=”true” logo=”false” find=”true” current_view=”true” rotate=”false” handtool=”true” doc_prop=”false” toggle_menu=”true” language=”it” page=”” default_zoom=”auto” pagemode=””]
About ENISA
The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens.
ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu.
Contact
For queries in relation to this paper, please use isdp@enisa.europa.eu
For media enquires about this paper, please use press@enisa.europa.eu.