Technical-organizational measures interact with the entire system for the protection of personal data under different profiles:

The security measures objectives – found in the Regulation – are dual:

The “active” protection profile requires the adoption of an adequate security level. The determination of the adequacy of the level is achieved adopting a risk-based approach: «appropriate technical and organisational measures to ensure a level of security appropriate to the risk» should be implemented, «taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons» (Article 32 (1)).

The legislator provides an example list of such measures that may include:

On the “reactive” front, in addition to system resilience and recovery policies, the legislator imposes specific disciplines in case of data breaches.

It should be noted that, according to EU Regulation no. 611/2013, concerning publicly available electronic communications providers, encryption or hashing systems are not considered to be comprehensive remedies for protection against the risk of infringement, as they must be accompanied by appropriate organizational and technical measures under art . 17 of Directive 95/46 [Recital (17)]. However, they allow – if they comply with the conditions laid down – to avoid notifying users in case of a breach (see Article 4).

The so-called Cybersecurity Directive is being published on the Official Journal of the European Union. The Directive envisages for energy, transport, banking, financial market infrastructure, health and water supply services:

The Regulation extends the reporting obligations for personal data breaches to their respective competent authorities, to all Data Controllers. The notification must be made without unjustified delay and, in any case, within 72 hours of the date on which it has become known, unless the Controller demonstrates that it is unlikely that the data breach would present a risk to the rights and freedoms of the data subjects affected by the breach. If the notification takes place after the 72-hours deadline, the reasons for the delay must be explained [Recital (67) and art. 31]. In the event of a high risk for the rights and freedoms of the data subjects, notification should also be made to the latter, by making recommendations to mitigate potential adverse effects. Notification to data subjects must be carried out «as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities» [Recital (86)].

Adopting appropriate technical measures to effectively limit the risk of identity theft or other forms of abuse positively affects the consequences of a data breach and the resulting legal implications.