top of page

GDPR Security Measures

The majority of security breaches happen because of humans, not due to the failure of the systems.

Quarto Q Logo (2).png

GDPR security measures are defined in the law as 'technical and organisational security measures'. They range from security measures concerning the data itself, like codifying the data (pseudonymization), to technical measures like data access, password control, firewalls, and organisational measures like employee training, internal audits and building locks. 

Security measures are not limited to a rigid list. Rather they should be implemented based on your data processing activity, the type of company, and internal working systems, and the measures should be reviewed at least annually and based on the evolvement of the company and its activities in the current climate.

Assess risks

Design measures

Implement measures

Train & Monitor

Review & Update

When starting to think about security all aspects should be considered. From risks to losing the data, to how data subject can implement their rights, and from firewalls to how employees can recognize a security breach. 

A useful measure to set these parameters is called a Data Protection Impact Assessment (DPIA)

Measures come in all different types and designs. To name a few: licensed firewalls, virus protectors, data access keys, encryption key codes, log history, version controls, identify verification, smart passwords, pseudonymization of the data and anonymization of the data.

Measures should fit your company, the way you are working with your team, and your data processing activities. When a measure can't be correctly implemented, your system and data is and remains at risk.

Incorporate your measures in policies and Standard Operational Procedures.

There is no point in designing and implementing security measures when your staff and team doesn't know about them. Train your staff about the measures, how to properly work with them, and how to spot irregularities and who to contact then.


Monitoring security and safety is a team task.

At least annually, if not more regularly - depending on the data, activity and measure, you should re-open the risk assessment (DPIA) and review your measures towards the current risks and security standards.


Review and adapt to the environment and update your measures.

bottom of page