Overview

This article requires controllers and processors to implement risk-based technical and organizational measures to ensure the security, confidentiality, integrity, and availability of personal data. Measures must be appropriate to the processing risks and regularly tested, with access restricted according to controller instructions.

Key Principles

  • Risk-Based Measures: Implement safeguards proportional to the likelihood and severity of risks.

  • Data Protection Techniques: Use methods such as pseudonymisation, encryption, and access controls.

  • Integrity and Availability: Ensure personal data is protected against unauthorized alteration or loss.

  • Accountability: Regularly review and test security measures and document compliance.

Organizational Applicability

This article applies to all organizations processing personal data within the EU:

  • Controllers and processors managing EU/EEA personal data.

  • Public and private sector entities responsible for IT systems, data storage, and processing.

  • Teams overseeing security, IT operations, compliance, and risk management.

Implementation Requirements

  • Implement technical and organizational measures to safeguard personal data.

  • Apply pseudonymisation, encryption, and access restrictions where appropriate.

  • Conduct regular testing and assessments of security controls.

  • Document security measures and ensure compliance with controller instructions.

Implementation Guidance

  • Perform risk assessments to identify threats and vulnerabilities.

  • Maintain access controls and logging to track data usage.

  • Train staff on secure handling of personal data.

  • Periodically test and update security controls to address evolving risks.

Periodic Review

  • Frequency: Annually or when processing activities, systems, or threats change.

  • Responsible Role: Data Protection Officer (DPO), IT Security Team, or Compliance Team.

  • Outcome: Ensure security measures remain effective, up-to-date, and compliant with GDPR.

Non-Compliance Risks

  • Fines: Up to €20 million or 4% of global annual turnover.

  • Legal Exposure: Enforcement actions or liability for data breaches.

  • Reputational Damage: Loss of trust due to compromised personal data.

  • Operational Risk: Data breaches, unauthorized access, or system downtime affecting compliance and business operations.