Security is in itself a micro-system within the broader data protection scenario (Article 32). Technical and organizational measures play a fundamental role according to the Regulation, at least under six distinct profiles:

Failure to take appropriate security measures is sanctioned with administrative fines of «up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» (art. 83.4).

Regardless of Italian legislation (Dlgs 196/2003), the GDPR does not require specific security measures, albeit minimal, but imposes a generic obligation on both the Controller and the Processor, to take measures to mitigate the risks associated with the data processing (Article 32). This, as stated below, involves the requirement for an initial assessment of adequacy between risks and measures for the Company; since the measures taken must ensure an appropriate level of security, given the state of the technology and the related costs.

The provision of Article 32 concerns, in addition to “technical” measures, those of an organizational nature; both must be the result of a risk analysis.

Determining the measures to be taken requires a complex evaluation process.

The estimate of their adequacy must be based on the analysis «the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons» (art. 32.1).

In addition, the risks to be assessed are those presented by «accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed» (art. 32.2).

According to the principle of accountability (Article 24), the Controller must take into account the validity of his assessments.