Both in the European General Data Protection Regulation (RGPD) EU 679/2016, as well as in its transposition into Spanish legislation (Organic Law 3/2018 of December 5, LOPDGDD), it is established that organizations must carry out a ... Specifically, in article 32.1.d of the RGPD, it is defined that,… .. the security measures implemented by a person in charge or a person in charge of data processing, must include, among others, d) a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to guarantee the security of the treatment.
This therefore means that, although a periodization of when they should be carried out is not defined, depending on the state of the art, the costs of application, the nature of the data processed, their purposes, as well as the risks of probability and severity in the event of a violation, such periodicity must be determined by the Data Security Officer (or the DPD, where appropriate). It is recommended that such a verification, evaluation and assessment process be carried out at least once a year, documenting the results and, if applicable, the corrective actions for improvement or solution of weak points or regulatory breaches identified.
The provision of a control checklist and the performance of the process by people who are the maximum independent of the process itself, is recommended.
From APTABEL, through one of the internal multidisciplinary teams specialized in RGPD-LOPDGDD, they can offer an adequate solution to this legal requirement, as well as a status report, action plan and certification of the completion of the verification, evaluation process. and assessment of its Data Protection System.