Spain: AEPD publishes blog post on reviewing and updating data protection security measures
The Spanish data protection authority ('AEPD') published, on 8 February 2023, a blog post on when data controllers should review and update data protection security measures. In particular, the AEPD recalled that, according to Article 24 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Organic Law 7/2021, of May 26, on the protection of personal data treated for the purposes of prevention, detection, investigation and prosecution of criminal offences and execution of criminal sanctions, transposing the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) ('Law Enforcement Directive'), data controllers are required to review and update the implemented technical and organisational measures so to ensure that the data processing in question complies with data protection regulations.
More specifically, the AEPD outlined that any change in the nature, scope, context, and purposes of the processing, as well as any change in the risk to the rights and freedoms of natural persons in relation to that processing, triggers a review and updating process of the existing security measures. On that account, the AEPD compiled a list of guidance on the subject, including:
- on risk management and impact assessment on the processing of personal data;
- a Privacy by Design guide;
- a Data Protection by Default guide; and
- on governance and data protection policy.
You can read the blog post here.