Data security

The obligation is to ensure personal data are processed in a manner that provides for appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

You have to use appropriate technical and organisational measures to achieve that data security. Where an organisation’s computer systems are hacked, it is usually as a result of a failure to meet this obligation. 

To support data security, the GDPR also restricts transfers of personal data outside the EU and requires a whole raft of provisions to be included in any contract under which personal data are processed by one organisation on behalf of another. This requirement applies to all contracts in force beyond 25 May 2018 (irrespective of whether they were entered into before or after that date).

Practical steps to take now

  1. Review who in your organisation has access to records containing personal data (particularly any records containing special categories of personal data) and determine whether it necessary for everyone who currently has access to retain it.
  2. Consider whether pseudonymisation and encryption of personal data would be sensible – the GDPR and accompanying guidance published to date refer specifically to this.
  3. Plan staff training updates to emphasise the importance of data protection within your organisation.
  4. Ensure any contracts that your organisation has where personal data are transferred to another organisation – which happens where you use a cloud-based software system, for example – are GDPR-compliant (see the information on mandatory provisions for data processing contracts).  
  5. Download our checklist  on mandatory provisions for data processing contracts to ensure you are fully compliant with the regulations.

Main contacts