The GDPR is the acronym for General Data Protection Regulation. This is a European Union law adopted to harmonize personal data protection laws across the EU and to strengthen citizens’ rights regarding the management of their data.
The GDPR was approved by the European Parliament on 27 April 2016 and officially entered into force on 24 May 2016, but its implementation took place two years later, therefore starting from 25 May 2018.
From that moment on, all organisations, regardless of their location, that process personal data of European Union citizens are obliged to comply with this legislation.
In general, the GDPR requires that companies must collect and process personal data in a lawful, transparent and limited way to the stated processing purposes .
Individuals have the right to know what data is collected about them, to access that data, to request rectification or deletion, and to object to certain methods of processing. Furthermore, the regulation requires companies to implement adequate technical and organizational measures to ensure the security of personal data, preventing unauthorized access and other threats that could compromise the privacy of individuals.
The European Data Protection Regulation , known as GDPR, was introduced to ensure that the rights and freedoms of natural persons are adequately protected in the context of the processing of personal data .
This has posed new challenges for businesses, especially in relation to cybersecurity . Although some believe that “ cyber security is excluded from the GDPR ,” in reality, the GDPR requires every organization to put in place appropriate technical and organizational measures to protect data.
The General Data Protection Regulation (GDPR) not only establishes how personal data should be processed but also imposes specific security measures to protect it. These measures are essential to ensure that data processing takes place in a secure environment, considering the state of the art in cybersecurity and the level of risk associated with potential threats.
Although the GDPR does not provide technical details on how to implement security measures, it requires companies to ensure an adequate level of protection to prevent unauthorized access, data breaches, and other security incidents.
To comply with GDPR, companies must adopt security measures such as:
One of the key concepts of the General Data Protection Regulation (GDPR) is the principle of accountability. This principle requires companies not only to comply with data protection regulations but also to demonstrate actively that the technical and organizational measures they have implemented are appropriate and effective.
It’s not just about following the rules; organizations must be able to prove that they have put in place proportionate measures based on the nature of data processing and associated risks. This involves continuous risk assessment, adopting solutions that align with the state of the art in cybersecurity and data protection.
Companies can demonstrate compliance with the accountability principle through various actions:
GDPR requires companies to document their data processing activities in a record of processing activities.
Organizations must establish clear policies on data management and ensure that all employees are aware of them.
DPIAs are mandatory when data processing is likely to result in a high risk to individuals’ rights and freedoms.
Organizations must designate a Data Protection Officer (DPO) if they process large-scale or sensitive personal data.
Accountability also requires educating employees about security and data protection best practices.
GDPR mandates that data breaches must be reported to authorities within 72 hours, and in some cases, affected individuals must also be informed.
Example: A mobile banking app detects unauthorized access to customer accounts and sends immediate notifications to users, advising them to change their login credentials.
Example: A telecommunications company, after experiencing a cyberattack that compromised thousands of customer records, notifies the Data Protection Authority within the required timeframe and directly contacts affected users.
What Does “Adequate Security Measures” Mean in GDPR?
Under the General Data Protection Regulation (GDPR), the concept of adequate security measures refers to implementing safeguards that are proportionate to the risks associated with processing personal data.
Article 32 of the GDPR states that companies must adopt security measures considering:
This means there is no one-size-fits-all solution—security measures should be scalable and tailored to the type of data being processed and the associated threats.
Before implementing security measures, a company must conduct a risk assessment to identify threats and vulnerabilities in its IT systems. This evaluation typically includes:
Depending on the company’s size and the type of data handled, security measures can vary. Here’s an overview of key solutions:
Encryption ensures that data remains unreadable without a decryption key.
Limiting data access to authorized personnel reduces the risk of data leaks.
Implementing monitoring systems helps detect suspicious activity or unauthorized access attempts.
Having data backups ensures that information can be restored in case of cyberattacks or system failures.
Pseudonymization reduces privacy risks by replacing identifying data with artificial identifiers.
GDPR requires companies to report data breaches to authorities within 72 hours.
Large corporation: A telecommunications company has a Cybersecurity Incident Response Team (CSIRT)that immediately reacts to cyberattacks, mitigates damage, and notifies affected users.
Small business: An online retailer suffers a cyberattack and follows its data breach notification protocol, informing both customers and the Data Protection Authority.
Organizations are required to ensure that any processing of personal data implements appropriate security measures.
This means that security is not something that can only be considered at the beginning of a project or during the design of a system, but must be integrated into every phase of the data lifecycle. The European regulation emphasizes that companies must consider the context and purposes of the processing and take into account the state of the art when deciding which measures to take.
Measures may include adopting security policies, training staff, implementing advanced technological solutions and creating processes to manage data breaches. This proactive approach is essential to maintaining GDPR compliance and protecting data effectively.
In summary, the GDPR and cybersecurity are closely linked. While cybersecurity is not the sole focus of the GDPR, it is clear that the regulation requires organizations to take appropriate technical and organizational measures to protect personal data.
This requires a continuous commitment by companies to assess risks, adopt best practices and ensure an adequate level of security to prevent unauthorized access and other threats. In an increasingly digital world, data protection is not just a matter of regulatory compliance, but is also fundamental to safeguarding the rights and freedoms of natural persons.
What is GDPR and how does it affect cybersecurity?
The GDPR is a European regulation that establishes rules for the protection of personal data. It requires the adoption of IT security measures to protect such data.
Is cybersecurity excluded from the GDPR?
No, cybersecurity is not excluded from the GDPR. Indeed, the GDPR requires the adoption of adequate technical and organizational measures to guarantee data security.
What are appropriate technical and organizational measures?
They are practices and tools adopted by companies to ensure that personal data is processed securely, taking into account the state of the art and risks.
Does GDPR require data encryption?
The GDPR does not explicitly require encryption, but considers it a useful measure in many cases to protect personal data.
How do you demonstrate GDPR compliance?
Through the principle of accountability, which requires documenting and demonstrating the adoption of security measures appropriate to the context and purposes of data processing.
What is the role of data processing in the GDPR?
Data processing is any operation performed on personal data. The GDPR requires that all processing is safe and compliant with the rules of the regulation.
What does “adequate level of security” mean?
It means adopting security measures proportionate to the risk associated with data processing, also considering the context and purposes of the processing.
Does GDPR only apply to large companies?
No, the GDPR applies to all organisations, regardless of size, that process the personal data of EU citizens.
How are data breaches handled under the GDPR?
Violations must be reported to the competent authorities within 72 hours and, in some cases, to the interested parties.
Does the GDPR require the use of advanced technologies?
The GDPR requires that the security measures adopted are appropriate, taking into account the state of the art, but does not specify particular technologies.
We will send you periodical important communications and news about the digital world. You can unsubscribe at any time by clicking the appropriate link at the bottom of the newsletter.
Google Search Console is an essential tool for monitoring and optimizing your site's visibility in…
Our SEO Agency rarely has requests to optimize sites made with Google Blogger. However, it…
We have received several reports of problems with the Godaddy domain connected to Blogger. In…
A client of ours to whom we provide SEO services has specifically asked to use…
Abstract Typosquatting is a pervasive threat in the digital landscape, exploiting simple errori di ortografia…
Unification Under Google Cloud for Advanced Security and Simplified Management Introduction: A Necessary Change Google…