Further Reading: Security

Security is designed to ensure against unauthorised or unlawful processing and against accidental loss, destruction or damage

Security is imposed:

  • As a principle of data protection, which includes integrity and confidentiality
  • By both controllers and processors (a minimum term of the required written agreement)
  • By design and default
  • Through the application of appropriate and organisational measures
  • On a risk-based approach

Design means that that data protection is embedded from the outset, and default reinforces that data should only be processed when necessary in accordance with the specified purpose:

  • Ensuring confidentiality, integrity, availability, and resilience
    • Confidentiality – on a need to know basis
    • Integrity – anti-malware, up-to date patching removal of unused software
  • Using encryption/pseudonymisation when appropriate
  • Regularly backing up of personal data and the ability to restore access in a timely fashion following an incident
  • Regular testing, assessment and evaluation of effectiveness of security put in place

When implementing security regard should be had to:

  • State of the art of technology
  • Cost of implementation
  • The nature, scope, context and purpose of processing
  • Severity and likelihood of risk


Article 5 Principles, Article 32 Security, Article 28 Processors Contractual requirements Recitals (49), (81), (83)

EDPH 04/19 Article 25 Data protection by Design and Default – adopted November 2019
https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2019/guidelines-42019-article- 25-data-protection-design_en

Article 29 work group opinion on Risk Based Approach in Data Protection Legal Frameworks
https://ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2014/wp218_en.pdf

Article 29 work group opinion on Anonymisation Techniques
https://ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2014/wp216_en.pdf

ICO guidance on Security including links to further reading
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/security/