Personal data must be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures," according to Article 5.1(f) of the GDPR. In essence, this is the security premise of the Regulation. The security of processing is governed by Article 32. Examples of suitable organisational and technical measures include:
- encryption and pseudonymization of personal data
- the capacity to maintain processing systems' and services' continued confidentiality, integrity, availability, and resilience
- the capability of recovering data accessibility and availability in the case of a physical or technological mishap
- a procedure for routinely examining, evaluating, and testing the efficacy of organisational and technical security measures.
Data controllers and processors must consider the risks associated with processing when deciding which security measures to put in place. A risk assessment or DPIA (data protection impact assessment) will help you choose the right security measures. Even when the risk is originally viewed as low, doing DPIAs is a useful practise because your evaluation may disclose risks you had not thought of.
The GDPR includes six data processing principles as opposed to the eight data protection principles of the Data Protection Act of 1998. Personal information must be:
- "Lawfulness, fairness, and transparency" refers to how data is processed in regard to the data subject.
- Collected for specific, clear, and legal purposes and not further processed in a way that is inconsistent with those purposes pursuant to Article 89(1), further processing for public interest archiving, scientific or historical research, or statistical purposes shall not be deemed to be inconsistent with the initial purposes (the "purpose limitation")
- Adequate, pertinent, and strictly limited to what is required in light of the processing's goals (data minimization)
- Accurate and, where necessary, kept current every effort must be made to ensure that personal data that is incorrect, taking into account the purposes for which it is processed, is immediately deleted or corrected
- Personal data may be stored for longer periods if they are processed solely for archiving in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to implementation of the necessary technical and organisational measures. Personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes for which they are processed.
- Processed in a way that guarantees adequate security of the personal data, including protection against unauthorized or unlawful processing and against unintentional loss, destruction, or damage (referred to as "integrity and confidentiality"), using appropriate technical or organisational methods.