Appropriate technical and organisational measures are generally required of data controllers to protect personal data. The phrase highlights the two key elements of data protection practice: appropriate use of technology (given the state of the art, resources and risks involved), as well as consideration of human behaviour. For example, this covers not only the information security software used, but also who is trusted with access to the data. If a controller uses the services of a data processor, the latter should also provide written assurance of appropriate technical and organisational measures to protect data.
ISO standards ISO27001 and ISO27002 have become an important touchstone for many organisations wishing to demonstrate implementation of appropriate safeguards.
See also: ACCOUNTABILITY, DATA-PROTECTION-BY-DESIGN, DATA PROTECTION POLICY
Calder, A. 2020. EU GDPR – an international guide to compliance. Ely: IT Governance. Available from: www.itgovernancepublishing.co.uk/product/eu-gdpr-an-international-guide-to-compliance.
Calder, A. 2020. EU GDPR – an international guide to compliance. Ely: IT Governance. Available from: www.itgovernancepublishing.co.uk/product/eu-gdpr-an-international-guide-to-compliance.