When to review data protection measures

The measures that guarantee and demonstrate that a processing is in conformity with data protection regulations must be reviewed and updated in the event of any change in the nature, scope, context, purposes of the processing or any change in the risks to the rights and freedoms of natural persons in relation to that processing. Among all measures, the subset of security measures must also be validated and reviewed on a regular basis. A data protection policy should define the change management processes to trigger the review and updating of measures, on a regular and on an exceptional basis.

Foto de Philipp Katzenberger en Unsplash

Photo from Philipp Katzenberger Unsplash

The GDPR (Art. 24) and L.O. 7/2021 (Art. 27 transposing Art.19 of Directive 680/2016) require the controller to review and update the measures implemented in the processing to ensure that it complies with data protection regulations. The standard itself establishes that such review and updating must be carried out when necessary.

There are doubts among some controllers about when it is necessary to review these measures, although, by implication, this is already defined in the data protection regulations cited in the previous paragraph.

That legislation requires that measures must be applied selectively. That is, the standard establishes that it has and must implement adequate measures to guarantee and be able to demonstrate compliance. The measures selected by the controller must be appropriate and not simply an accumulation of measures. The selection of measures must be a rational process based on criteria of suitability and effectiveness of the processing measures in order to ensure and demonstrate compliance with a particular processing.

The articles cited above determine how a processing must be analyzed to determine the selection of measures that will be appropriate. On the one hand, account must be taken of the nature, scope or extent of the processing, the context and its purposes. On the other hand, the risks to the rights and freedoms of natural persons must be taken into account.

The nature of a processing determines how it is implemented: e.g., automatic, manual, mixed, in which operations the processing is structured, whether it is executed in the cloud, on mobile phone, whether it includes biometric operations and automated decisions, whether data processors are involved, whether international transfers are carried out, etc.

The scope and extent of the processing is determined according to the categories of data subjects concerned, categories of special protection, personal data, the duration of the processing itself, the granularity of the data, the frequency of its collection, the geographical amplitude, the retention of data by categories, etc.

The context is determined by multiple external factors that can condition the processing, such as the regulatory context, the characteristics and conditioning factors of the sector or market where it is deployed, the personal data gaps in similar processing, the social environment, the sensitivity of the different communities, etc.

It is necessary to consider the ultimate purpose (or purposes) and the collateral or instrumental purposes and, of course, the various risks to rights and freedoms.

Therefore, if the measures are to be appropriate in relation to the nature, context, categories, scope, purposes, and risks of the processing, they will need to be reviewed and updated when any change occurs in them. For example, it would be necessary to review them if we incorporate a new technology in a processing operation, if some categories of data begin to be processed with greater granularity, if new types of personal data breaches are materializing in similar entities or processing, if the ultimate or instrumental purposes increase or are modified, if there is awareness of new risks to fundamental rights, etc.

The data protection regulations do not require that such review be periodic, but implicitly requires that you be aware of changes in the nature, context, scope, purposes and risks of the processing to act accordingly.

However, there is a subset of measures to ensure and demonstrate the regulatory adequacy of a processing for which a periodic review is required: the security measures. Art. 32.1.d of the GDPR states that security measures shall have "a process of regular verification, evaluation and assessment". On the other hand, the processing subject to the National Security Scheme, e.g., those regulated in L.O. 7/2021, must carry out "an ordinary regular audit, at least every two years" as established in its chapter V.

A data protection policy shall define the management processes to detect changes in the nature, context, scope, purposes, and risks of the processing, and to immediately activate the processes of review and updating of measures for the protection of the rights and freedoms of individuals. In particular, this policy must establish the periodic agenda for validation and review of security measures to guarantee fundamental rights, being recommended that this periodic review also extends to other measures.

More information related to this topic can be found on the AEPD Innovation and Technology website at: