Data Protection Act 2018

Technical and organisational measures

78. For the purposes of determining the appropriate technical and organisational measures in relation to personal data that are required to be taken by a controller or processor in order to ensure compliance with this Part, and in particular sections 71 (1)(f), 75 (1), 76 and 80 , the controller or processor, as the case may be, shall, where relevant, have regard to the following matters:

(a) the nature of the personal data concerned;

(b) the accessibility of the data;

(c) the nature, scope, context and purpose of the processing concerned;

(d) any risks to the rights and freedoms of individuals arising from the processing concerned;

(e) the likelihood of any such risks arising and the severity of such risks;

(f) the state of the art and the cost of implementation;

(g) guidelines, recommendations and descriptions of best practice issued by the Commission or the European Data Protection Board.