Similar to the old Data Protection Act, under the new General Data Protection Regulation (GDPR), data controllers and processors are required to “implement appropriate technical and organisational measures” to keep data secure.

They should be taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing” as well as the risk in terms of “likelihood and severity” of a data breach – sound prescriptive but suitably vague? It is and it doesn’t end there…more to follow.