The GDPR provides in Article 32 that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk".
But it is sometimes difficult, when one is not familiar with risk management methodologies, to implement this approach and to ensure that the minimum has been done.
To help professionals in their compliance, the CNIL publishes a guide reminding the basic precautions to be implemented systematically.
This guide can be used within a risk management system, usually consisting of the following four steps:
- Listing the processing of personal data, the data processed (e.g.: customer files, contracts) and the media on which they rely.
- Assessing the risks caused by each processing by:
- identifying the potential effects on the rights and freedoms of individuals concerned, the sources of risks (who or what could be the cause of each feared event?) and the possible threats (what could allow each feared event to occur?);
- Determining the existing or planned measures which allow for each risk to be dealt with (e.g.: controlling access, backups, traceability, security of the premises, encryption and anonymisation).
- Evaluating the severity and likelihood of the risks, with regard to the previous elements (for example regarding a scale: negligible, moderate, significant, maximal).
- Implementing and checking the planned measures.
- Carrying out periodical security audits.