Examples of security measures

This means that not all examples mentioned here are per se applicable to your specific processing operations. Besides, you have to take the state of the art into account. New measures may therefore be developed that can improve your security. You will have to keep a close eye on this yourself.

Technical security measures

These are examples of technical security measures:

• Logical and physical (access) security and security of equipment. Here you should not only think of safes and security staff, but also of firewalls, network segregation (separation of networks), authorisation (which employee has access to what), and linking accounts to 1 person (to prevent an account from being used by several people).
• Technical management of the authorisations (which should be as restricted as possible) and keeping logfiles.
• Management of technical vulnerabilities (‘patch management’).
• Keeping software up to date, such as browsers, virus scanners, and operating systems.
• Making backups that you can use to restore the availability of and the access to personal data in a timely manner. Consider if you need double systems, to ensure that the whole continues to function properly if a component of the system breaks down.
• Automatically removing outdated data.
• Encrypting data.
• Using hashing as a method for pseudonymisation of personal data.
• Processing fewer data on your servers and having more data processing operations performed on the equipment of the user themselves, such as a smartphone.

Organisational security measures

These are examples of organisational security measures:

• Assigning responsibilities for information security to people.
• Increasing security awareness with existing and new employees.
• Establishing procedures for testing, assessing, evaluating and - where necessary - tightening up the security measures at regular intervals.
• Regularly checking the logfiles.
• Drawing up a protocol for dealing with data breaches and security incidents.
• Concluding non-disclosure agreements and processing agreements.
• Regularly assessing if you can achieve the same purposes with fewer personal data.
• Giving fewer people in your organisation access to personal data.
• Recording the decision-making process and the underlying considerations for each processing operation.

Consulting of standards

There is no ready-made security plan that meets the requirements of each organisation and each data processing operation. A proper security of data processed always requires customisation.

There are standards and codes of conduct that you can consult to provide you with guidance when applying that customisation. And that you can follow to determine with more certainty if your security measures are sufficient.

For example:

• ISO 27002 for information security management measures;
• ISO 27701 for privacy information management;
• NEN 7510 for information security in the healthcare sector;
• Government information security baseline (Dutch abbreviation: BIO) (in Dutch).