What measures for personal data protection shall be taken in the organization?


The State Data Protection Inspectorate of the Republic of Lithuania has published 20 minimum organizational and technical requirements and measures aimed at protecting personal data in each organization. These requirements must be met by any organization or person who processes the personal data, and many will take additional steps to ensure an adequate level of security of personal data processed by them.

According to the information provided by the SDPI, 10 minimum requirements for the appropriate organizational data security measures are as follows:

10 minimum requirements for organizational data security measures:

1. Personal data security policy and procedures. The security of personal data and their processing in the organization must be documented as part of the information security policy.
2. Roles and responsibilities. Roles and responsibilities related to the processing of personal data must be clearly defined and distributed in accordance with security policy.
3. Access control policy. Each role related to the processing of personal data must have specific access control rights.
4. Resource and asset management. An organization must have a register of IT resources used to process personal data, and the management of the registry must be assigned to a specific person.
5. Change management. The organization must ensure that all changes to the IT systems are monitored and registered by specific person.
6. Data processors. Data controllers and processors should be defined before any personal data processing activity is initiated, document and reconcile mutual formalities. The data processor must immediately notify the controller of any personal data breach detected.
7. Personal data security breaches and incidents. An incident response plan must be established in a comprehensive manner. Violations against personal data must be immediately reported to the management and competent authorities.
8. Business continuity. The organisation must establish the basic procedures to be followed in case of an incident or personal data breach, in order to ensure the necessary continuity and availability of personal data processing by IT systems.
9. Staff confidentiality. The organization must ensure that all employees understand their responsibilities and responsibilities related to the processing of personal data.
10. Training. The organization must ensure that all employees are properly informed about the security controls of IT systems related to their daily work.

10 minimum requirements for appropriate technical data security measures:

1. Access Control and Authentication. An Access Control System must be implemented for all users of the IT system. The Access Control System must allow the creation, validation, revision, and removal of user accounts. Shared user accounts must be avoided.
2. Technical journal entries and monitoring. The records of technical journals must be implemented for each IT system, application program used for processing personal data. Technical journals must display all possible types of access to personal data records (such as date, time, review, change, cancellation).
3. Protection of servers, databases. The databases and application server servers must be configured to work properly and use a separate account with the lowest operating system privileges assigned. Databases and Application Servers must process only those personal data that is required for work that meets the data processing objectives.
4. Workstation protection. Users should not be able to turn off or bypass, avoid security settings. Antivirus applications and their virus database information must be updated at least weekly. Users must not have the privilege of installing, removing, administering unauthorized software. IT systems must have a set session time.
5. Network and communication security. When access to used IT systems is carried out online, it is imperative to use an encrypted communication channel, i.e. cryptographic protocols (such as TLS, SSL).
6. Backups. Backups and data restoration procedures must be defined, documented and clearly linked to roles and responsibilities.
7. Mobile, portable devices. The procedures for administering mobile and portable devices must be identified and documented, with a clear description of the proper use of such equipment. Mobile, portable devices that will be used to work with information systems must be registered and authorized before use.
8. Software Security. Software used in information systems (processing personal data) must comply with software security best practices, software development structures and standards.
9. Data removal. Before removing any data storage media, all data contained in it must be destroyed using software designed for that purpose, which supports reliable data-erasure algorithms.
10. Physical safety. The physical protection of the environment, premises in which the IT system infrastructure is located, must be implemented from unauthorized access.

The implementation of these requirements will help organizations to ensure compliance with the General Data Protection Regulation. Among other things, it is important to note, when conducting inspections in organizations at the State Data Protection Inspectorate, irrespective of the size of the organizations or the sector, it will be important whether at least these minimum measures are implemented contributing to the protection of personal data and privacy.

Get in touch