Security of processing

Controllers and processors must comply with the security requirements which are risk-based, but prescriptive and robust in nature.

The Applied GDPR requires that "appropriate technical and organisational measures" are implemented to ensure a level of security relevant to the risk.

The level of security must be considered in relation to the risks "in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed". 

The risk is assessed by taking into account:

The technical and organisational measures are described in Article 32 of the Applied GDPR and, as appropriate, are to at least include:

"Security of processing" is integral to the new accountability requirements.

The security of processing and accountability requirements are inextricably connected and internal policies should be adopted which demonstrate compliance.

Guidance on security is being developed.  However, the UK Information Commissioner's Office has already published appropriate in-depth guidance. This can be found at: