
28 Jan Providers of services to Public Administrations must comply with the National Security Scheme.
The adoption of appropriate technical and organisational measures is no longer sufficient since the adoption of the new LOPDGDD.
In recent months we have been providing useful information on the new law on data protection, which brings with it a series of changes to be adopted for companies.
Since the publication of the General Personal Data Protection Regulations, companies have been making efforts to adopt “appropriate” technical and organisational measures to guarantee the confidentiality, integrity and availability of the personal data they process.
Well, companies that provide services to Public Administrations are not exempt of doing so. Public Administrations are now required to adopt the security measures provided for in the National Security Scheme. These measures have to be adopted by the Public Administration to which the service is to be provided.
The NHS foresees a total of 75 security measures that affect both the organisational framework and the public administration of the entity – e.g., the preparation of a security policy – as to the operational framework – e.g., performing risk analysis, acquiring components, etc. duly certified – and within the framework of the protection measures in facilities and infrastructures, equipment, communications and computer applications, among others.
Contractors must also provide sufficient training for their staff so that they can duly comply with the measures adopted, establish a procedure for continuous improvement of the security process, which includes conducting audits at least every 2 years and designate an information officer, a service officer and an security officer charges which must also fall on three different persons, as they are incompatible charges.
These measures will undoubtedly require a considerable effort on the part of smaller contractors.