Article 5.1(f) states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. This is, in effect, the Regulation’s security principle.
Article 32 sets out rules on the security of processing. Examples of appropriate technical and organisational measures include:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.
When choosing the security measures to implement, data controllers and processors must take account of the risks involved in processing – a risk assessment or DPIA (data protection impact assessment) will help you determine which measures are appropriate. Conducting DPIAs is good practice even where the risk is initially perceived as low, as your assessment may reveal risks you had not considered.