The European Data Protection Supervisor, the independent supervisory authority with responsibility for monitoring data protection compliance at EU level, has issued guidance entitled Security Measures for Personal Data Processing. Although the guidance is specifically aimed at EU institutions and bodies, it will no doubt be of interest to and become a source of reference for businesses throughout Europe.
The guidance draws upon accepted best-practice recommendations in respect of information security risk management and incorporates the security obligations set out in the relevant EU law. It does not prescribe any particular safety measures which must be implemented to mitigate risk but notes that “state of the art” risk assessment and management must be applied at all times.
The European Data Protection Supervisor highlights the importance of adopting an information security risk management framework as a resource for managing and monitoring risk on an on-going basis. The guidance sets out in detail how this framework should be applied and this procedure should prove a useful tool for any organisation looking to streamline and focus its information security risk management processes.