SMART Referrals logo-02

Security Copy

  • A key principle of the UK GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.
  • Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.
  • You also must consider additional requirements about the security of your processing – and these also apply to data processors.
  • You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
  • Where appropriate, you should look to use measures such as pseudonymisation and encryption.
  • Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
  • The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
  • You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures and undertake any required improvements.
  • We have worked closely with the National Cyber Security Centre (NCSC) to develop an approach that you can use when assessing the measures that will be appropriate for you.