Security
[ch 2: pages 20-21]Both controllers and processors have a legal duty under Article 32 of the GDPR to ensure an appropriate level of security by technical and organisational measures. When deciding what measures are appropriate, they can take into account the costs of implementation, the nature, scope, context and purposes of processing and the risks to individuals’ rights and freedoms. Measures can include:
• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
When deciding what security measures to put in place, controllers and processors must take into account the risks of data being accidentally or unlawfully destroyed, lost, altered or disclosed without authorisation.
They must also take steps to ensure that anyone acting under their authority who has access to personal data does not process it except where the controller or processor instructs them, or where they have a legal obligation to do so.