Wojciech Maciejewski
Wojciech Maciejewski

GDPR Series, Part 2: When to Implement Data Protection Technology?


Welcome to the second part of our series of posts about GDPR. Today, we're gonna look at what GDPR expects companies in terms of data security.

It's no mystery that going through the entire GDPR text would take some time, therefore we summed up the essentials when it comes to data security.

Article 25 – Data protection by design and by default

Article 25 asks the controller to ensure that the right organizational and technical measures are introduced so that they fulfill the GDPR requirements in terms of data protection.

One of the means of data protection is pseudonymization, also known as data masking.

It's defined as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.

The thing is to make attributing a piece of data to a person as hard as possible.

Example: Employee ID which has an 8-digit format, such as "DE-34-5678".

Article 32 – Security of the processing itself

Even though the GDPR was designed to avoid listing technologies that can soon become outdated, Article 32 specifies data security requirements for the future development of technologies.

Here are the key outtakes:

Controllers and processors have to implement technical measures in accordance with the knowledge, costs, nature, scope, context, purpose and the risk to the data subjects for the pseudonymization and

  • encryption of personal data; to ensure confidentiality,
  • availability and resilience of data processing systems;
  • to provide access to data also after a breach;
  • to test data protection processes and technologies.

Article 32 provides guidelines for GDPR certification, however, at the moment such a certification doesn't exist yet. When created, it will give companies a competitive edge and decrease the risk of fines. Also, it will prove that companies take seriously the issue of data protection.

Article 33– Notification of data breaches to the appropriate regulator:

In the case of a breach of personal data, the controller has to inform a supervisory authority about the breath within 72 hours after the incident. Should the controller not be able to inform the regulator, one has to provide explanation.

After discovering the breach, the controller has to inform a supervisory authority without a delay.

The notification about the breach has to describe the character of the breach, the type of affected data, approximate number of affected records, personal and contact information of the DPO (or other person), possible implications of the breach and mitigation measures. Missing pieces of information can be supplied in phases in case they are unavailable at the moment.**

Article 34 – Notification of data breaches to the affected individual:

Similarly to Article 33, Article 34 demands the controller to notify the victim of the data breach as soon as possible, particularly if there's a risk of personal rights and freedoms violation.

The notification has to be clear and easy to comprehend, and contain the same details as reported to the supervisory authority. There are, however, exceptions when notifying an individual is not mandatory:

  • If data stays safe and is protected by, for example, encryption,
  • If risks to an individual decreased because of application protective measures,,
  • If identifying and notifying victims of data breach involves "disproportionate effort". In such a case, the controller has to communicate the breach differently, for example placing an ad the media.

Article 35 –Data protection impact assessment:

Controllers have to conduct a Data Protection Impact Assessment (DPIA) when newly introduced data processes and technologies cause threat to the rights and freedoms of individuals. The controller has to seek advice of the company’s DPO (data protection officer) when performing a DPIA.

The DPIA must include at least:

  • Why the controller wants to add a certain processing operation
  • An estimation of the need of the suggested processing operation
  • A risk estimate in terms of personal rights and freedoms
  • Proposed measures to minimize risks and security measures ensuring the protection of personal data.

How does Grey Wizard protects about data leaks mentioned by GDPR?

Grey Wizard decreases the risk of data leaks by protecting your infrastructure and internet environment against hacking attacks. Grey Wizard protects websites and web applications from data leaks.

Andrzej Prałat
Wojciech Maciejewski

For media

Provide us with contact details.

Thank you