Insights & Media

Newsletters

2023-01-30
CNPD’s GUIDELINES ON ORGANISATIONAL AND SECURITY MEASURES FOR THE PROCESSING OF PERSONAL DATA

Newsletters

The Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados (“CNPD”)) published Guidelines/2023/1, of 10 January, where it outlines an illustrative set of technical and organisational measures that must be adopted by organisations to ensure adequate security of personal data and minimise the adverse effects on individuals' rights in the event of an. attack targeting information systems.

With these Guidelines, CNPD intends to make companies aware of their legal obligations in what comes to the security in the processing and of the need to invest more in this area.

CNPD also emphasises that subcontracting does not change the fact that the controller is fully responsible for the protection of personal data and is primarily responsible for ensuring respect for the rights and interests of data subjects, through the implementation of appropriate measures and the ensuing adaptation of its business model.

Among the organisational and technical measures that, according to CNPD, must be adopted by organisations in their risk prevention and mitigation plans, are the following:

Organisational measures

  • Setting up an incident response and disaster recovery plan;
  • Classifying information according to its confidentiality and sensitivity level;
  • Creating a user life cycle management policy;
  • Implementing alarm systems that allow the identification of undue access, access attempts or use;
  • Conducting IT security audits and vulnerability assessments;
  • Adopting an internal policy to deal with potential breaches of personal data [1];
  • Raising employees' awareness of the need to adopt a privacy and information security culture.

Technical measures

  • Implementing robust authentication processes;
  • Updating systems and infrastructure, including and upgrade to workstation and server security;
  • Setting up internal policies and procedures on the use of e-mail to send messages containing personal data;
  • Implementing malware protection mechanisms;
  • Setting up clear and appropriate rules for the use of equipment outside the premises;
  • Establishing internal procedures on the storage of paper documents containing personal data;
  • Establishing internal procedures on the transportation of information incorporating personal data.

Click here to read the CNPD Guideline in full.


[1] With regard to the deadline for reporting a personal data breach to the supervisory authority, CNPD has emphasised that the 72-hour deadline to be met by the controller is a continuous period, and does not suspend on Saturdays, Sundays and public holidays.