The Amendment 124, Proposal for a regulation, Article 30 states:
1. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing, taking into account the results of a data protection impact assessment (…), having regard to the state of the art and the costs of their implementation.”
There are many interesting elements in my understanding (in italic my highlights and proposed discussion topics):
- The security measures must be appropriate to the risks (the appropriateness is judged by them, in which cases, until when?)
- The controller and processor shall (jointly and both of them?) take into account the results of a DP Impact Assessment (that shall be done)
- Considering the state of the art (that means that a set of security measures adequate today might not be anymore adequate tomorrow)
- and also considering the costs of their implementation…
The latter point is the most interesting. Does this mean that is possible not to adopt all the security measures suggested by the risk and DP Impact Analysis if these cost too much for a company?