Implement role-based access controls — least privilege, need-to-knowOnly personnel who need access to personal data to do their jobs should have it. Access should be revoked immediately upon role change or departure. Privileged access should be logged and reviewed.
Encrypt personal data at rest and in transitPersonal data stored in databases, files, or backups must be encrypted. Personal data transmitted between systems, over the internet, or to third parties must use TLS/HTTPS at minimum.
Implement Data Loss Prevention (DLP) controlsDLP tools monitor and prevent unauthorised transfers of personal data via email, USB, cloud uploads, or other channels. This is a specific technical safeguard cited in Section 8(5) compliance guidance.
Set up breach detection, monitoring, and alertingYou cannot notify a breach you did not detect. Implement logging, anomaly detection, and alerting so that any unauthorised access to personal data is flagged immediately — not discovered weeks later.
Conduct regular security assessments and penetration testsSection 8(5) requires reasonable security practices. Regular external security assessments are evidence of those practices. Assessments should cover systems, applications, and processes that handle personal data.
Verify that your Data Processors have adequate security measures in placeYou remain responsible for personal data even when it is processed by a third party. Review your vendors' security certifications, conduct due diligence, and include security obligations in all contracts.