- A key principle of the UK GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.
- Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.
- You also must consider additional requirements about the security of your processing – and these also apply to data processors.
- You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
- Where appropriate, you should look to use measures such as pseudonymisation and encryption.
- Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
- The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
- You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures and undertake any required improvements.
- We have worked closely with the National Cyber Security Centre (NCSC) to develop an approach that you can use when assessing the measures that will be appropriate for you.