I promised to redraft Article 25 of the General Data Protection Regulation (see my last post). Here’s my best effort so far. Unfortunately Word Press doesn’t let me indent, so it’s not as easy to read as it would be in real life:
1. When deciding how to process, and when processing, data, the controller must take appropriate technical and organisational measures such as using pseudonyms (the Measures).
2. Measures must be designed to:
(a) implement data protection principles (such as data minimisation) effectively; and
(b) integrate into the processing all safeguards necessary to:
(i) comply with the Regulation; and
(ii) protect the rights of data subjects.
3. In taking Measures, the controller must consider:
(a) the state of the art;
(b) the cost of complying with the Measures;
(c) the nature and scope of the data;
(d) the context and purpose for processing the data; and
(e) the likelihood or severity of the risks that processing the data might pose to rights and freedoms of individuals.
I’d welcome comments, or suggestions to improve the drafting! In my next post I’ll explain the techniques I used.