Abstract

The article discusses how the obligations connected with ensuring that personal data are processed in accordance with the provisions of the GDPR, including the obligations connected with securing data (Art. 24, 25, 32, 35). The implementation of those obligations is connected with the need to estimate the risk of infringement of the rights or freedoms of natural persons with different probabilities of occurrence and weight of the threat. Estimations includes Privacy Impact Assessment (PIA). It is used for selecting appropriate safeguards in order to minimize the risk and to ensure that data are processed in accordance with the GDPR.

The author points out that in order to perform those obligations properly it is necessary to use ISO/IEC 29100 standards referring to protection of personally identifiable information, in conjunction with ISO/IEC 27000 standards concerning information security management systems. In this case those standards provide the best basis for such activities since the concept of personal data protection adopted in the GDPR is based on the principles and guidelines laid down in the information security management standards, including estimation of risk for the selection of appropriate safeguards and ensuring compliance with the laws.