According to Recital 78 GDPR “[t]he protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organizational measures be taken to ensure that the requirements of [the GDPR] are met”. This provision, which represents a cornerstone of the legal framework, is further elaborated for the specific case of processing for research purposes. Recital 156 GDPR and Article 89 GDPR call for the implementation of ‘appropriate safeguards’, stressing the importance of safeguarding the rights and freedoms of natural persons (see the “Integrity and Confidentiality” subsection in the Principles section of the General Part of these Guidelines).
The GDPR does not provide a comprehensive list of technical and organizational measures, leaving to the data controller the task of identifying them and assessing their effectiveness in mitigating risks for the data subjects. Also, researchers should consider external security and data protection audit, to confirm that the security and compliance measures are sound, and to further demonstrate compliance with the accountability principle (see the (see the “Accountability” subsection in the Principles section of the General Part of these Guidelines).
| Examples of technical and organizational measures | |
| Technical measures | Organizational measures |
| Data anonymization or pseudonymization[1] | Security policies |
| Encryption of communication | Data management plans |
| Protection of data from unauthorized access | Training program for personnel |
| Vulnerability assessment / Penetration testing | Regular audits and assessments |
References
1See also section 3.3.5 Erasure or destruction of data for more information on anonymisation. For more technical information please refer to PANELFIT DOCUMENT ON ANONYMISATION ↑