As this data protection principle is introduced, controllers cannot keep making excuses claiming they complied their businesses with the GDPR while having pro forma documents and are in lack adequate documents, engaging DPOs who do not understand what it takes to be compliant, and having employees who do not understand their responsibilities.
This principle is closely connected to the integrity and confidentiality principle. The GDPR prescribes a clear obligation for controllers to demonstrate that technical and organisational measures are adequate – measures shall be the result of risk assessment in regard to nature, scope, context, and purposes of processing as well as of varying likelihood and severity for the rights and freedoms of natural persons.
JPM Partner Ivan Milošević together with Prof Gojko Grubor and Senior Associate Andrea Cvetanović are providing detailed insights into those principles. The full article can be found HERE.