Location Amsterdam
Jollemanshof 12
1019 GW Amsterdam
Phone
020 663 1941
E-mail
info@ictrecht.nl
KvK
34216164
BTW
NL8223.30.040.B01
Location Groningen
Leonard Springerlaan 35
9727 KB Groningen
Phone
050 209 34 99
E-mail
info@ictrecht.nl
KvK
68038712
BTW
NL857275835.B01
Location Brussel
Avenue Louise 65
1000 Brussel
Phone
+32 (0)2 535 77 55.
E-mail
info@legalict.com
Ondernemingsnummer
0696.909.465
BTW
BE 0696.909.465

Our services / Internal security policy

Under the General Data Protection Regulation (‘GDPR’), you are obligated to ensure a level of security that is appropriate to the risks concerning the transfer of personal data. You can list the measures you have taken as an organisation in an ‘internal security policy’.

Which level of security is appropriate depends on the risks that come with the specific transfers of personal data you carry out. Several factors may be taken into account when assessing the risks that are inherent to the data transfers:

  •  The types of data processed (sensitive personal data bears a higher risk, for example)
  • The chance of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
  • The consequences for data subjects if their data will be unlawfully processed

To determine what constitutes as an ‘appropriate’ level of security with regard to the assessed risks, you have to take into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. You can take, for example, the following measures:

Technical

  •  The encryption/pseudonymisation of the personal data
  • Keeping software up-to-date
  • Encryption of portable devices
  •  Firewalls
  • Encryption of data in transit (TLS/SSL)
  • Antivirus software
  • Access security (passwords, two-factor authentication)
  • Physical access security (alarm systems, cameras)

Organisational

  •  Security protocol
  • Internal policy on how to deal with incidents
  •  Appointing a chief information security officer (CISO)
  • Authorisation policy
  •  Bring-your-own-device (BYOD) policy
  •  Implementing a standard like ISO 27001, 27002 or NEN 7510
  • Take out an insurance

Internal security policy

Your organisation should be able to demonstrate which security measures have been implemented, and why these measures were chosen in light of the assessed risks. Furthermore, you have to frequently evaluate whether the implemented measures are still appropriate. You do not have to make this security policy public, but you should be able to demonstrate it if a supervisory authority requests this.

Do you want to know if the security measures you have taken are appropriate? At Legal ICT, we have extensive legal and technical knowledge and we would be pleased to advise you on suitable technical and organisational security measures. Furthermore, we can draft an internal security policy for you, and advise you on how to keep this policy up-to-date.

WOULD YOU LIKE MORE INFORMATION? 

Send an e-mail to: info@legalict.com or call us at: +32 (0)2 535 77 55. You can also use the form below: one of our legal advisors will get back to you very soon.

Contact



  • Your personal information will only be used to contact you as requested by you. Please read the privacy statement for more information.

Similar services

  • IT contracts

    A clear contract is a prerequisite for all IT projects. Legal ICT can help you draft or review your, or your client’s, IT-contracts.

  • Privacy statement

    You are legally required to inform your clients and visitors clearly about what privacy-sensitive data you collect and for what purpose.