GDPR requires Data Controllers (meaning TV service providers) to implement (and demonstrate) appropriate technical and organisational measures and necessary safeguards to protect the rights and freedoms of their customers (the “Data Subjects”).
These obligations are found in some articles in the GDPR, like in the Article 25 which is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default (known as “Data protection by design and by default”).
Although the requirements are meant for Data Controllers, following the “Data protection by design and by default” principles will help us in creating “GDPR-compliant” products and services that enable our clients (as Data Controllers) to fulfil their obligations.
Let’s dig into the first requirement in the GDPR Article 25 to understand it better:
- Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Legal jargon, difficult to interpret to most of the people. If we shorten the text above, it can be read as:
- Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the identified risks, the controller shall, at all times, implement appropriate technical and organisational measures in order to meet the requirements of the GDPR.
Better, however there are still many vague and unclear statements in it. Let’s translate some of them:
GDPR Article 25
|Taking into account the state of the art,||
“State of the art” refers to the current progress in technology that is available in the market. This means having the knowledge of and stay up-to-date on technological advances, how technology can present data protection risks, and how to implement the adequate measures and safeguards.
“State of the art” is a dynamic concept that must be assessed continuously, as a measure/control that once provided an adequate level of protection could no longer be valid.
Neglecting to keep up-to-date with technological changes could result in security risks and a lack of compliance with the GDPR.
|…the cost of implementation and||
In this context, refers not only to money but to resources including time and people.
The set-up and maintenance of the “state of the art” may impact “the cost of implementation”. The Data Controller shall plan for and expand the necessary costs for the effective implementation of all of data protection principles.
|…the nature, scope, context and purposes of processing||
The concept of nature can be understood as the inherent characteristics of the processing.
The scope refers to the size and range of the processing.
The context relates to the circumstances of the processing, which may influence the expectations of the Data Subject, while the purpose pertains to the aims of the processing.
|…as well as the identified risks,||
The Data Controller has to identify the risks and determine their likelihood and severity based on the nature, scope, context and purpose of processing and verify the effectiveness of the measures and safeguards proposed.
|…the controller shall, at all times, implement appropriate technical and organisational measures in order to meet the requirements of the GDPR.||
This could include data pseudonymisation and data minimisation, but also from technical solutions to training of personnel on how to handle customer data.
There is no requirement to the sophistication of a measure as long as it is appropriate for implementing the data protection principles effectively.