Article 32: Security of processing
- The controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk by:
a) Pseudonymisation and encryption of personal data
b) ensuring ongoing confidentiality, integrity, availability, and resilience of systems and services
c) restoring the availability and access to personal data in a timely manner during an incident
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing - The subject data can’t be processed by the processor unless authorized by the controller or is required by the Union or Member State law.
Article 33: Notification of a personal data breach to the supervisory authority
- In case of a personal data breach, the controller should notify the supervisory authority about the breach within 72 hours (where feasible) or should include a reason for the delay
- The processor should notify the controller immediately of a personal data breach
- The controller shall document all personal data breaches
Part 1: https://bit.ly/2z16LJX (Article 25, 47, 83)