GDPR Organizational Technical Measure – What now?

Companies also have to gain from applying the key measures provided by the General Data Protection Regulation. This is what Bruno Rodrigues, from APDPO, explains to us.

Since the entry into force of the General Data Protection Regulation (GDPR), there have been many questions concerning the technical adequacy of the organizations to comply with them.

If on the one hand there are European organizations that far exceed the security imposed by the GDPR, on the other hand, and in most Portuguese SMEs, the evolution of IT Security and data protection is generally very low.

Since this evolution, which is expensive in terms of working hours and financial resources, is highly recommended and welcomed for the sake of data protection of the company and its information systems, I present some generic recommendations on how to approach the problem.


1 – GDPR technical view from the State perspective

With the entry into force of the GDPR, it was not long before the current Government published in its opinion, and in a generic way, what technical areas the entire public administration should give its attention? This is undoubtedly an important step for private organizations since, as I understand it, it will help companies choose which areas require immediate intervention from the point of view of Data Security, thus, with private entities conforming in the same degree as public entities.

It should be noted that compliance does not in any way mean that the organization is effectively safe. It is, however, a good start. To do this, just consult the Resolution of the Council of Ministers no. 41/2018.

This resolution distinguishes three layers of action, of extreme importance – Front-End, Application and Database. These three layers, from a security processes perspective, are included in a subject called IT Security Governance.


2 – CID – Confidentiality, Integrity and Availability

One of the pillars of Computer Security is the CIA (Confidentiality, Integrity & Availability). Used since the beginning of computer networks, it serves to provide organizations with three fundamental concepts of computer security that should be applied to its fullest to all situations of organizations, including data protection:

  • Confidentiality – It means that the data is stored in a secure way and only accessible to authorized persons or processes. Simply put, it means that we protect data from unauthorized access;
  • Integrity – Protection of data against unauthorized modification, loss, theft and unauthorized disclosure;
  • Availability – Systems must guarantee redundancy and availability, and there should not be a “single point of failure”.

3 – The software Security Development Lifecycle

One of the focuses of the Council of Ministers resolution is on software scenario. This is one of the most important issues in the current computer security landscape and much could be written on the subject.

I want to make an introduction to the topic by mentioning a tool, which being limited, can greatly help Data Protection Officers work with development teams in data protection – .

In addition to the various “guides” available on this page and others (I always advise to consult the OWASP on the subject), Microsoft has developed a software that will allow organizations to quickly understand which attacks to take into account in the software development process.

At each stage of the process, in the various components and in projects ranging from a simple site to a complete ERP systems, the organization, even in projects developed by external entities, must have an understanding of the various attacks that can potentially compromise personal data as well as, what measures are being implemented to mitigate them.

Data and organization security aims to protect users, their customers and stakeholders from potential attacks and loss of information and should always be seen in layers, where technical measures should target the CIA’s assurance in all the company areas.

More in Communication