Security is designed to ensure against unauthorised or unlawful processing and against accidental loss, destruction or damage
Security is imposed:
Design means that that data protection is embedded from the outset, and default reinforces that data should only be processed when necessary in accordance with the specified purpose:
When implementing security regard should be had to:
References:
Article 5 Principles, Article 32 Security, Article 28 Processors Contractual requirements Recitals (49), (81), (83)
EDPH 04/19 Article 25 Data protection by Design and Default – adopted November 2019
https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2019/guidelines-42019-article- 25-data-protection-design_en
Article 29 work group opinion on Risk Based Approach in Data Protection Legal Frameworks
https://ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2014/wp218_en.pdf
Article 29 work group opinion on Anonymisation Techniques
https://ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2014/wp216_en.pdf
ICO guidance on Security including links to further reading
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/security/