Securing Personal Data: a risk-based approach

Back to News

To mark Data Protection Day 2020 on 28 January, the EU Agency for Cybersecurity launches an online platform to assist in the security of personal data processing; this platform implements a risk-based approach to personal data security as a means to underpin trust.

Security and Data Protection: Two Sides of the Same Coin

To mark Data Protection Day 2020 on 28 January, the EU Agency for Cybersecurity launches an online platform to assist in the security of personal data processing; this platform implements a risk-based approach to personal data security as a means to underpin trust.

New Platform

The new platform is part of the work of the Agency in privacy and data protection, which focuses on analysing technical solutions for the implementation of GDPR, privacy by design and security of personal data processing.

The EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, stated:

It is the role of the EU Agency for Cybersecurity to support the cybersecurity ecosystem with practical advice and tools to support risk mitigation. The platform is a key tool providing guidance to organisations on their risk profile when processing personal data; furthermore, this platform provides organisations with recommendations based on their individual profile.”

Main recommendations

The spectrum of recommendations in the accompanying report refers to the following areas:

  • Organisations, such as SMEs, that process personal data (data controllers) and competent EU bodies should work towards common use cases and examples for personal data security, while supporting broader security risk assessment frameworks that embed data protection requirements.
  • Competent EU bodies and Data Protection Authorities should develop practical guidance documents that will be able to support and assist different types of data controllers on the selection of appropriate and adequate security measures.
  • The research community and standardisation bodies should continue working on giving technical solutions to ever increasing security threats in different areas  of security measures and privacy enhancing technologies, with the support of competent EU bodies and the European Commission, in terms of policy guidance and funding.
  • The European Commission, Data Protection Authorities and Competent EU bodies should explore the possible synergies between different certification frameworks as regards the security of personal data processing.

Who can use the platform?

Data controllers and their assisting contractors (data processors) can benefit from this platform to determine their approach when seeking to develop policies to protect personal data under their control. This platform can also be proven useful to auditors and supervising authorities alike, in an effort to determine the level of preparation and analysis preceding the designation of security measures adopted by a data controller.

 There is scope to leverage on this platform among the SME community, which can benefit from publicly available solutions, as the one provided by ENISA, to support GDPR compliance.

Background

As security of personal data processing is a key obligation for data controllers and processors under the General Data Protection Regulation Article 32, ENISA has proposed in 2018 a risk-based approach for the adoption of security measures for the protection of personal data.

Further information

The platform can be found: On-line tool for the security of personal data processing

The report can be found: ENISA Report - Online Platform for Security of Personal Data Processing

For further queries or interviews, please contact press@enisa.europe.eu