The document may become a source of guidance on risk-based information security practices for other data controllers in the EU as well, given its authority and the similarity between the security provisions of a number of EU directives and regulations. The guidance is called ‘Security Measures for Personal Data Processing’ and is issued pursuant to Article 22 of Regulation 45/2001, which contains the legal requirement for EU institutions to mitigate risks when processing personal data.
The EDPS’s approach is grounded in accepted good practices in Information Security Risk Management (ISRM) and therefore, does not prescribe a particular set of security measures. With regard to Article 22, the guidance provides detailed advice on how to apply the ISRM framework in a manner that complies the Regulation’s security requirements. Of particular note, it states that in order to comply with the legal obligation under Article 22 of the Regulation, EU institutions must always apply state of the art risk assessment and risk management.
Organizations subject to EU data protection laws may wish to carefully review the EDPS’s ISRM recommendations in light of the fact that the guidance may be used to interpret the security provisions of other, more generally applicable directives and regulations.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now