Hello and welcome back to this introduction to Judy PR
in this video will be looking at the security requirements for processing personal data. As described in the GDP Are
sees Organization is a new data protection recommendation within the GPO.
It refers to the technique of processing personal data so it cannot be attributed to a specific individual or data subject without the use of additional information.
This additional information should be stored separately on be subject to technical and organize social Security measures to ensure non attribution
in practice. What this means is replacing the field's most likely toward then define individual's identity Name, address, national insurance number, passport number, driving licence, date of birth, et cetera,
with an artificial identify or pseudonym.
Well, sit down imitation is only a recommendation, not a requirement.
It is central to the concept of security by design,
and he's identified in the regulations is one of the measures for demonstrating compliance.
Further, although pseudonymous data is not exempt from the GDP are all together,
it relaxes several requirements on the controllers that used this technique.
In particular pseudonym eyes data may be eligible for further processing that is compatible with the initial purpose for which consent was given,
depending on the context in which the data was collected on the relationship between data subjects and controllers, the type of data processed and possible consequences of processing for the data subjects.
Finally, the regulation does not apply to data that does not relate to unidentified or identifiable natural person or two data rendered anonymous in such a way that the data subject is no longer identifiable.
So, for example, where controllers have sued Donna Mai's data to the point that they cannot identify individuals,
for example, deleting the directly identifying part of the data set,
they do not need to provide data subjects with access to the data rectification Eurasia or data portability.
However, sue Don Imus data is not anonymous data, and it must be reasonably unlikely that re identification could occur for the data to be exempted.
Whilst encryption is a recommendation, not a requirement, it is likely that for most organizations it will be a key component of their compliance plan.
As the directive says.
In order to maintain security and to prevent processing that infringes this directive,
the controller or process er shall evaluate the risks inherent in the processing and should implement measures to mitigate those risks, such as encryption.
That's with pseudo normalization. The GDR has created some incentives for organizations to use encryption.
An important consideration of encryption is the potential for a safe breach
where any data stolen is encrypted and use. List of Acker
reaches that occur where the data is encrypted are specifically noted as being exempted from notification to the supervisory authority.
Encryption of data is one of the safe counts which can allow further processing of data,
for example, in our carving data and for historic and scientific research purposes or statistical purposes.
Article 32 covers the security of processing and states,
taking into account the state of the art, the cost of implementation on the nature, scope, context and purposes of processing,
as well as the risk of varying likelihood and severity with rights and freedoms of natural persons.
The controller and processes shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,
including his appropriate
the encryption and pseudo normalization of personal data
as previously described.
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and service is
one area haven't really discussed is controlling access to data.
The recipients in GDP are speak on ensuring recipients only have access to the data they need and do not make copies of the data either physically or electronically or change data either intentionally or unintentionally
and for mechanisms to be in place to detect incorrect any unauthorized changes.
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
In other words, the appropriate business continuity and disaster recovery plans
on a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
In other words, test that your plans work
about from pseudo normalization. These are all pretty standard security practices in most organizations.
What is important is that these will need to be documented demonstrably in place for purposes of compliance.
In the next video, we'll look data protection impact assessments on the role of the Data Protection officer