On January 23, 2018, the French data protection authority (the CNIL) published new guidelines on the security of personal data (updating its previous security guide published in 2010 available in English) , providing practical recommendations in the form of “Do’s and Dont’s” to help businesses implement appropriate measures to protect personal data in compliance with the General Data Protection Regulation (“GDPR”).
Denise Lebeau-Marianna and Caroline Chancé write:
Article 32 of the GDPR requires data controllers and processors to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. Although the GDPR provides some guidance as to the types of measures that may be considered appropriate (i.e., the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing), the CNIL acknowledges that such determination may be difficult for businesses that are unfamiliar with the risk management methods in terms of data processing.
The CNIL’s guide (available in French only at the date of this post – an English version will be made available by the CNIL in the near future) is aimed at (i) clarifying the basic precautions to be taken systematically when processing personal data and (ii) helping businesses verify their level of compliance thanks to a tick box evaluation form made available at the end of the guide.
Read more on DLA Piper Privacy Matters.