Under the European legal framework (Directice 95/46/EC), organisations which collect and further process personal data are obliged to ensure that technical and organisational measures are undertaken, so as to protect the data with an appropriate level of security.
The General Data Protection Regulation, which will soon come into force, strenghens this obligation both for the data controllers and processors, following a risk-based and impact-driven approach. Such an approach should enable organizations to identify and assess the risks, likelihood and impact of potential breaches of confidentiality, integrity and availability of personal data, and support them in adopting the necessary security measures.
In 2016 ENISA will provide a set of guidelines for small and medium organizations, acting as data controllers or processors, on how to perform a risk assessment and implement appropriate security measures for the protection of personal data. This work is expected to continue in the following years for different scales and sectors of controllers and processors, as well as with the publication of relevant guidance and training material.