The secu­ri­ty of data must be gua­ran­teed by appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res. Important objec­ti­ves include pro­tec­tion against unaut­ho­ri­zed access, data loss and manipulation.

This prin­ci­ple refers to a wealth of tech­ni­cal and orga­niza­tio­nal mea­su­res that must be taken when sto­ring and pro­ces­sing per­so­nal data. Sin­ce the terms pseud­ony­miza­ti­on and encryp­ti­on are men­tio­ned seve­ral times in the GDPR, this prin­ci­ple is often trans­la­ted as data encryp­ti­on. Howe­ver, this is by no means suf­fi­ci­ent and some­ti­mes even not necessary!

Experts trans­la­te the tech­ni­cal and orga­niza­tio­nal mea­su­res with the con­trols of the ISO/IEC 27001 series of stan­dards. The series of stan­dards defi­nes a varie­ty of tech­ni­cal methods for cor­rect­ly imple­men­ting IT secu­ri­ty, as well as requi­re­ments for writ­ten gui­de­lines and defi­ned pro­ces­ses for data pro­ces­sing. Only a com­bi­na­ti­on of tech­ni­cal and orga­niza­tio­nal mea­su­res can pro­tect data sus­tain­ab­ly and reliably.

Pre­vious artic­le: Employee data pro­tec­tion awa­re­ness: #7 Defi­ned dele­ti­on obligations