The General Data Protection Regulation (GDPR) requires that appropriate security measures be put in place which take account of the harm that would result from accidental or unlawful processing, including destruction, loss, alteration, unauthorised disclosure of or access to the information. The security measures should ensure ongoing confidentiality, integrity, availability and resilience of the processing systems. This should take account of best practice in available technology and processes and the cost of installation.

In addition to technical security measures, consideration must be given to organisational measures such as access to paper records and access control for central IT servers and local PCs.

For more information, read our guidance about sources of information to consider when reviewing or setting your security.