Data Protection Act 2018
Technical and organisational measures | ||
78. For the purposes of determining the appropriate technical and organisational measures in relation to personal data that are required to be taken by a controller or processor in order to ensure compliance with this Part, and in particular sections 71 (1)(f), 75 (1), 76 and 80 , the controller or processor, as the case may be, shall, where relevant, have regard to the following matters: | ||
(a) the nature of the personal data concerned; | ||
(b) the accessibility of the data; | ||
(c) the nature, scope, context and purpose of the processing concerned; | ||
(d) any risks to the rights and freedoms of individuals arising from the processing concerned; | ||
(e) the likelihood of any such risks arising and the severity of such risks; | ||
(f) the state of the art and the cost of implementation; | ||
(g) guidelines, recommendations and descriptions of best practice issued by the Commission or the European Data Protection Board. |