Security of processing

Controllers and processors must comply with the security requirements which are risk-based, but prescriptive and robust in nature.

The Applied GDPR requires that "appropriate technical and organisational measures" are implemented to ensure a level of security relevant to the risk.

The level of security must be considered in relation to the risks "in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed". 

The risk is assessed by taking into account:

• the nature, scope, context and purposes for processing;
• the varying likelihood and severity of the affect on the rights and freedoms of individuals.

The technical and organisational measures are described in Article 32 of the Applied GDPR and, as appropriate, are to at least include:

• pseudonymisation and encryption of personal data;
• the ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;
• the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing and evaluating the effectiveness of those measures.

"Security of processing" is integral to the new accountability requirements.

The security of processing and accountability requirements are inextricably connected and internal policies should be adopted which demonstrate compliance.

Guidance on security is being developed.  However, the UK Information Commissioner's Office has already published appropriate in-depth guidance. This can be found at:

• https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/
• https://ico.org.uk/for-organisations/security-outcomes/