Expert Advice Community

Guest

Text source about obligation to have IT Security Structure in place on premises

  Quote
Guest
Guest user Created:   May 20, 2021 Last commented:   May 24, 2021

Text source about obligation to have IT Security Structure in place on premises

I work as a freelance within Human Resources for a pharmaceutical SME company in ***, which belongs to an international group. We have strong co-determination rights regarding the works council.
Members of the international headquarters want to know in which chapter of the GDPR it is written down, that a company, i.e. in ***, who has servers on its premises with various software programmes that process personnel data, must have a IT Security Structure: i.e. who has access to the servers' room, which security measures have been taken in case of fire or other emergency incidents, etc.
Thanks a lot for a link or some further information

0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò May 24, 2021

The GDPR only states that the data controller must ensure that data are “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality).” (Article 5 paragraph 1, f) GDPR)Article 32 GDPR, among the obligation of the data controller, states that:“Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

A) the pseudonymization and encryption of personal data;

B) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

C) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

D) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Setting access policies and determining roles and responsibilities is considered an organizational security measure and of course there is no indication of what technical security measures must be applied, the aim of GDPR is to be technological neutral but ISO27001 standard on the security of information can be a good guide.

Here you can find some information on security aspects and GDPR:

If you want to know more about the EU GDPR compliance, you can consider enrolling in our free online training EU GDPR Foundations Course: https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 20, 2021

May 24, 2021