Appropriate technical and organisational measures are generally required of data controllers to protect personal data. The phrase highlights the two key elements of data protection practice: appropriate use of technology (given the state of the art, resources and risks involved), as well as consideration of human behaviour. For example, this covers not only the information security software used, but also who is trusted with access to the data. If a controller uses the services of a data processor, the latter should also provide written assurance of appropriate technical and organisational measures to protect data.

ISO standards ISO27001 and ISO27002 have become an important touchstone for many organisations wishing to demonstrate implementation of appropriate safeguards.

Further reading:

See also: ACCOUNTABILITY, DATA-PROTECTION-BY-DESIGN, DATA PROTECTION POLICY

Calder, A. 2020. EU GDPR – an international guide to compliance. Ely: IT Governance. Available from: www.itgovernancepublishing.co.uk/product/eu-gdpr-an-international-guide-to-compliance.

  • Search Google Scholar
  • Export Citation
Reference & Dictionaries