GDPR Articles Simplified – Part 2 – ‘Notification and communication’

Article 32: Security of processing

  1. The controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk by:
    a) Pseudonymisation and encryption of personal data
    b) ensuring ongoing confidentiality, integrity, availability, and resilience of systems and services
    c) restoring the availability and access to personal data in a timely manner during an incident
    d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
  2. The subject data can’t be processed by the processor unless authorized by the controller or is required by the Union or Member State law.

Article 33: Notification of a personal data breach to the supervisory authority

  1. In case of a personal data breach, the controller should notify the supervisory authority about the breach within 72 hours (where feasible) or should include a reason for the delay
  2. The processor should notify the controller immediately of a personal data breach
  3. The controller shall document all personal data breaches

Part 1: https://bit.ly/2z16LJX (Article 25, 47, 83)