Security

The security principle of GDPR states that an individual/organisation should process personal data securely, by means of appropriate technical and organisational measures. They are encouraged to consider risk analysis, organisational policies, and physical and technical measures. 

Poor security can lead to severe consequences, such as: 

  • Identity fraud
  • Fraudulent credit card transactions
  • Targeting of individuals by fraudsters, potentially made more convincing by compromised personal data
  • Witnesses put at risk of physical harm or intimidation
  • Offenders at risk from vigilantes
  • Exposure of people's addresses
  • Fake applications for tax credits
  • Mortgage fraud

How to Incorporate Security into an Organisation 

When considering physical security, you should look at factors such as how you: 

  • Protect your premises - the quality of doors and locks, and means such as alarms, security lighting or CCTV
  • Control access to your premises - how are visitors supervised when at your premises 
  • Dispose of paper and electronic waste properly - don't just throw it in the bin. Shred, pulp or burn the documents you don't need
  • Keep IT equipment secure - ensure you have protective steps in place for your IT equipment, particularly mobile devices and PCs

Be careful what information you give out to people. If someone calls you on the phone, claims to be a client's family member and asks for sensitive information, such as their health condition, how do you know it's really them? 

This sort of information should not be freely accessible. When considering cyber security, you should look at factors such as: 

  • System security - the security of your network and information systems, including those which process personal data
  • Data security - the security of the data you hold within your systems, e.g. ensuring appropriate access controls are in place and that data is held securely
  • Online security - e.g. the security of your website and any other online service or application that you use
  • Device security - including policies on BYOD (bring your own device)

Last modified: Tuesday, 17 June 2025, 8:33 PM