Technical measures

1. Technical measures

Welcome back!

2. What are they?

Technical measures are important to ensure data security. Technical measures have several objectives, including securing the digital spaces of organizations to ensure data protection. They also include technologies and processes for data minimization and privacy preservation. Technical measures cover the physical security of buildings and data centers, cybersecurity, and information security including encryption and pseudonymization.

3. Physical security

Physical security includes giving access to your workspaces only to employees or pre-screened visitors. You may need to ensure round-the-clock surveillance to prevent a physical breach if you operate a data center. Other measures include locking cabinets with hard copies containing personal data and setting up alarms in your buildings.

4. Cybersecurity

Cyber security is about ensuring the network and system security and your organization's online and device security. Technical measures to ensure cyber security include stress testing or penetration testing of network infrastructure against malicious cyber attacks; and backing up your data in a secure location with the appropriate access controls. Additional measures include securing employees' online activities and ensuring device safety. The technical measures an organization needs depend on its data processing activities' size, scope, purposes, and risks. While GDPR doesn't specify an exhaustive list of measures, it suggests encryption and pseudonymization of data as suitable technical measures. They are the only two measures, technical or otherwise, that appear in the regulation text. Let's find out more.

5. Encryption

Encryption is a mathematical function or algorithm that encodes data so that only users with the right access keys can open it. Encrypted data without an access key is not considered personal data. Encryption prevents unlawful or unauthorized access. Therefore it's an effective tool for data protection. Implementing encryption across your organization is a relatively low-cost affair. There are many in-device options and commercial solutions. There are also open-source solutions like VeraCrypt that offer free and cross-platform encryption capabilities.

6. Pseudonymization

Pseudonymization is the processing of personal data in a way that this data can no longer be attributed to a specific individual without additional information. For instance, after pseudonymization, Mary Adams, Female, age 23, becomes Record 1, Female, age 23. That means direct identifiers like names or surnames get a pseudonym or a fake proxy. Some of the most common pseudonymization techniques are counter and random number generators. Pseudonymization is a good practice to reduce data processing risks; however it is not the same as anonymization since it still contains the main identifiable personal data elements. In the following video, we'll learn about anonymization, its limitations, and the concept of data utility while guaranteeing data protection.

7. Let's practice!

Awesome! Let's practice your skills on the technical measures of GDPR.

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.