The security of personal data is one of the key founding principles of the Law. In light of that, the Law obliges the controller to take adequate technical, organizational, and personnel measures to ensure that the personal data processing is carried out in accordance with the Law, while the controller should pay attention to the nature, scope, circumstances, the purpose of processing, the risk assessment for the rights and freedoms of natural persons.
If needed, the controller has to be able to demonstrate to have acted in compliance with this legal requirement.
Even though it may seem that the above-mentioned provision is imprecise, the Law actually follows the approach of the General Data Protection Regulation (GDPR) which takes into account the more and more rapid technological progress as well as various areas in which the personal data processing takes place. That is the reason why the Law hesitantly specifies in detail what are the “technical, organizational and personnel measures” that the controller should implement.
Once the protection measures have been implemented, they should not be seen as permanent and unchangeable. On the contrary, the controller should assess and update them, if needed.
The security of personal data protection means that the controller and the processor conduct the appropriate technical, organizational, and personnel measures, to ensure the adequate level of security of the personal data in relation to the specific risk threatening their security. When doing that, one should have in mind the degree of technological advancements and the expenses of their implementation, the nature, the scope, the circumstances, and the purpose of processing, as well as the chances of the risk occurring and the degree of risk for the rights and freedoms of natural persons.
The significance of the implementation of the above-mentioned measures is best reflected in the fact that a great number of penalties for the violations of the GDPR has been imposed due to the lack of technical security. For example, the penalty of EUR 204,000,000.00 has been imposed upon the company British Airways in the United Kingdom, for the personal data violation due to the hackers’ attack, as we talked about in our news British Airways and Marriott International Violated GDPR – What Consequences Could They Face?.