To prevent personal data breaches, organizations must implement appropriate security controls relevant to the circumstances of data processing. Such security controls may be preventative (security measures to limit the personal data breaches) and remedial (mitigation measures to limit the impact of a personal data breach that has happened) in nature.
Organizations must consider the following factors while choosing an appropriate security control for the protection of personal data:
Nature, scope, context, and purposes of personal data processing:The nature, scope, context, and purposes of data processing may affect the risks to the rights and freedoms of data subjects. For example, the more sensitive the data is, the higher the risk of harm will be. Even a small amount of highly sensitive personal data can have a high impact on an individual. Therefore, such factors must be taken into account while implementing a security control.
Industry best practices around security controls:Data security is a domain of professional expertise. Therefore, organizations must consider industry best practices in choosing an appropriate security control. For example, encryption is one of the industry-acceptable security measures.
Costs of implementation of security controls:A security control does not need to be exorbitantly expensive and organizations must consider the cost of implementation of security controls. Companies must financially invest in security measures and implement cost-determinative security controls.
In addition to the considerations above, an ideal security control must have the following abilities:
Restore the availability and access to personal data promptly in the event of a security incident.
Render the data unintelligible for any person who is not authorized to access it.
Ensure confidentiality and integrity of data processing systems and services
Despite security controls, security incidents will inevitably take place. However, not every security incident qualifies as a personal data breach and not every personal data breach is required to be notified to the regulatory authority and impacted data subjects. Therefore, every organization must have an effective and robust breach response management process. It must have a mechanism in place to determine when a security incident is considered a personal data breach, when a personal data breach needs to be notified, identify areas of improvement, and implement necessary remediation measures to reduce consequences on data subjects.