GDPR Article 24 is the first section of GDPR that addresses the general obligations of the data controller, which are described in greater detail in subsequent articles.
The change in tone from passive compliance to the use of obligatory language is a hallmark of GDPR legislation, and sets the tone for how controllers are expected to behave later on in the legislation.
Responsibility of the controller
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
- Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
- Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
Responsibility of the controller
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
- Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
- Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.
GDPR doesn’t actually define what a technical measure is, which has led to some confusion among organisations who struggle to understand what their obligations are. As such, most legal authorities defined ‘measure’ as any action that an organisation can take, which makes them compliant.
Given the broad scope of the term ‘measure’, in order to ascertain how to achieve compliance, organisations should undergo a thorough risk-assessment that takes into account the nature, scope and purpose of its processing activities.
In addition, organisations need to be continually mindful of the right to individual freedom, alongside any operational risks.
As a general rule, the more riskier the processing operation is, the larger the amount of evidence is required. Organisations should be preoccupied with collecting physical and digital evidence that proves they are a compliant, law-abiding organisation.
Book a 30 minute chat with us and we’ll show you how
Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.
This includes:
Record management encompasses four key areas:
Organisations should:
ISO advocates for a dual-fronted approach to organisational privacy protection that includes:
Both types of policy can either be combined into one document, or separated out as the organisation sees fit.
Policies should be disseminated to all relevant staff members (and external personnel, if needs be), to ensure ongoing adherence with internal and external privacy protection requirements.
Anyone who receives a policy should be asked to confirm, preferably in writing, that they both understand what is being asked of them, and are willing to comply.
Policies should be reviewed when changes are made to:
Senior management should establish a top-level privacy protection policy (along with other topic-specific policies) that clearly outlines the processes and practical steps that will be taken in order to safeguard PII.
Organisational privacy protection policies should contain information from, and remain relevant to:
Privacy protection policies should define the organisation’s:
Records (otherwise known as ‘inventory lists’) should have a delegated owner, and may include:
GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
---|---|---|
EU GDPR Article 24 (3) | ISO 27701 5.2.1 | None |
EU GDPR Article 24 (2) | ISO 27701 6.15.1.3 | None |
EU GDPR Article 24 (2) | ISO 27701 6.2.1.1 | None |
EU GDPR Article 24 (1) | ISO 27701 7.2.8 | None |
ISMS.online offer you a complete GDPR solution.
We provide an environment that’s been pre-built for you to describe and demonstrate your approach to protecting your European and UK customer data that fits seamlessly into your management system.
The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to demonstrate your approach to GDPR is substantially reduced.
Got 30 minutes? Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo