diff --git a/docs/90-Quality-and-support/library/gdpr-and-security.md b/docs/90-Quality-and-support/library/gdpr-and-security.md new file mode 100644 index 0000000000000000000000000000000000000000..19f0356be90c4644fd83b9da4d7f63ec59b45c8f --- /dev/null +++ b/docs/90-Quality-and-support/library/gdpr-and-security.md @@ -0,0 +1,45 @@ +Source : European data protection, Law and Practise, second edition 2019. An IAPP Publication. + + + +So, what can data protection professionals do to put their organisations in the best +position possible? Where should they look to understand the meaning of ‘appropriate +technical and organisational measures’? As well as consulting with their internal +security professionals about the nature of the security threats and risks and the nature +of the response strategy, they can seek to familiarise themselves with some of the key +pieces of readily available learning. Fruitful areas for review include: + +• Related pieces of the legislative framework that contain security provisions, + +such as the NIS Directive, the ePrivacy Directive, the Cybercrime Directive +and the Payment Services Directive No. 2.14 + +• The output of institutions, such as WP29, the European Data Protection + +Supervisor and the European Union Agency for Network and Information +Security. + +• The output of security centres of excellence, such as the National Cyber + +Security Centre in the UK. +• Policy frameworks of national governments, such as national cybersecurity +plans. +• Regulatory policy statements and other guidance issued by the national data +protection regulators and by sector regulators. +• Decisions in regulatory enforcement actions brought by the national data +protection regulators and related regulators. +• Decisions of courts and tribunals in related areas. +• National and international standards for best practice, such as the ISO 27000 +series, the Payment Card Industry Data Security Standard, CBEST and the +NIST framework. + +• Threat assessment reports and subject ma!er white papers published by IT +security companies and security consultants. +• The output of relevant professional associations and a'nity groups. There +are many operating in the space, such as the Cloud Security Alliance and the + +Information Security Forum. + +This list is not exhaustive, but it should give the data protection professional a fairly +good impression of the range of available resources in determining an appropriate level +of security.