European Data Protection Authority: Guide to securing information and business continuity.

 
In his Guidance on Information Security Risk Management published today, the European Data Protection Supervisor (EDPS) advises EU institutions on how to ensure a secure and trustworthy digital environment for the information that is essential for the functioning of their services.
 
The security of personal data is a legal requirement, but it is also necessary in the interests of organisations that rely on the use of information for their daily business. It is essential that they maintain appropriate security levels for information since the value and efficiency of their work is so dependent upon it. I urge the hierarchies in the EU institutions to engage in the tailored development and use of information security risk management processes to address the specific needs of their organisation.
 
Different organisations are exposed to different security risks to the information they use, so state-of-the-art risk assessment methods provide an efficient way of identifying the appropriate solutions for the specific risks faced by an institution and can justify the use of financial and IT resources to develop those solutions.
 
Information security risk management for personal data requires specialist expertise in information and IT security as well as data protection. Data Protection Officers (DPOs) should support information and IT security experts in the development of these processes.
 
Technical security solutions alone cannot solve the issue of information security. An organisation's hierarchy is ultimately responsible for the enforcement of decisions that affect applications and the IT infrastructures that support them. Management has to support the development and implementation of policies and to mobilise the resources required to counter the information risks that an organisation faces.
 
While this Guidance document is primarily aimed at the EU institutions, anyone interested in data protection might find it useful; the Data Protection Regulation applicable to the EU institutions (Regulation (EC) No 45/2001) is similar in many respects to the data protection Directive (EC) 95/46), which is implemented into the national laws of EU Member States, as well as in Iceland, Liechtenstein and Norway.
 
This Guidance will continue to be useful with the entry into force of the new General Data Protection Regulation which maintains the principle of risk management for security and strengthens overall responsibility and governance requirements, by explicitly introducing the principle of accountability in respecting data protection obligations.