Information security

The GDPR provides that data controllers and data processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In deciding the appropriate level of security measures, the business should consider the costs of implementation, the nature, scope, context and purposes of the data processing and the likelihood and severity of risk for the rights and freedoms of the data subjects.


The following elements must be considered:  

  • the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed
  • the pseudonymisation and encryption of personal data
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

In order to identify what specific requirements a business should implement, a data protection assessment should be carried out, the risks should be identified and the cost, availability and practicality of various measures should be considered to identify which is the most appropriate. Examples of data security measures which should be considered as a minimum include:

  • Technical measures
    • Data back-ups
    • Anti-virus software
    • Firewalls
    • User access control management
    • Login details / passwords which are regularly updated
    • Two-factor authentication
    • Encryption
  • Physical measures
    • Building security
    • Room / cabinet security
    • Fire doors
    • Security access passes
    • Security patrols
  • Organisational measures
    • Training for staff and suppliers
    • Detailed policies and record keeping
    • ISO 27001 or similar certification
    • Formal written contracts