Art.5.1f GDPR

GDPR Art.5.1f: Integrity and Confidentiality

What This Control Requires

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

In Plain Language

Data breaches make headlines, and this is the principle that regulators point to when handing out the fines. You need to protect personal data against unauthorised access, unauthorised changes, and accidental loss or destruction - with security measures that are proportionate to the risk. The keyword here is "appropriate." A startup processing basic contact details is not expected to have the same security posture as a hospital handling medical records. But both must implement measures that match their specific risk profile. The GDPR is not asking for perfection - it is asking for a thoughtful, proportionate approach to security. This covers the entire data lifecycle and every format data takes - electronic systems, paper files, everything. You need both technical measures (encryption, access controls, intrusion detection) and organisational ones (policies, training, incident response). One without the other leaves gaps that regulators will notice.

How to Implement

Start with a proper risk assessment. Identify what threatens the personal data you process - both external risks (cyberattacks, theft, natural disasters) and internal ones (accidental disclosure, employees with too much access, poor disposal practices). Evaluate each risk by likelihood and potential impact on data subjects. Implement technical controls proportionate to those risks. At a minimum: encrypt personal data in transit and at rest, enforce role-based access controls with multi-factor authentication, keep up with security patching, deploy firewalls and intrusion detection, and maintain tested backup and disaster recovery procedures. Put organisational measures in place too. Write clear security policies, train staff regularly on threats like phishing, enforce clear desk and clear screen practices, document your incident response and breach notification procedures, and assess the security posture of every third-party processor before you hand them data. Build detection capability. Log and monitor access to personal data, set up alerts for suspicious activity, and make sure someone is actually watching. Quick detection is critical - you have only 72 hours to notify the supervisory authority of a breach under Article 33, and that clock starts when you become aware. Test your defences regularly. Run penetration tests, vulnerability assessments, and security audits. Review incidents and near-misses for lessons learned. Security is not a one-time project - threats evolve, and your controls need to evolve with them.

Evidence Your Auditor Will Request

Information security risk assessment for personal data processing
Technical security controls documentation including encryption, access controls, and network security
Information security policies and procedures
Staff security awareness training records
Penetration testing and vulnerability assessment reports

Common Mistakes

Personal data transmitted over unencrypted channels or stored without encryption
Excessive access permissions - staff having access to personal data beyond what is needed for their role
No regular security testing or vulnerability assessments conducted
Paper records containing personal data left unsecured or disposed of improperly
Lack of security monitoring and incident detection capabilities

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.8.24	Related
ISO 27001	A.5.15	Related
NIS2	Art.21.2a	Related

Frequently Asked Questions

What level of encryption is required by the GDPR?

The GDPR does not prescribe specific algorithms, but industry practice and DPA guidance point to AES-256 for data at rest and TLS 1.2 or higher for data in transit. The encryption standard should be proportionate to data sensitivity and the risks you have identified. Using anything weaker than current best practice is hard to defend if something goes wrong.

Are we required to encrypt all personal data?

Not technically mandated for every piece of data, but encryption is explicitly called out in Article 32 as an appropriate measure and is considered table stakes for anything sensitive. There is also a practical incentive: if encrypted data is breached, Article 34 gives you a safe harbour - you may not need to notify individual data subjects. That alone makes it worth the investment.

How do we determine what constitutes 'appropriate' security?

Look at the state of the art in security, implementation costs, the nature and volume of data you process, and the risks to individuals if something goes wrong. Higher-risk processing demands stronger measures. DPA guidance, ISO 27001, and sector-specific standards all help calibrate what "appropriate" looks like in your context. The key is documenting your reasoning - show that you thought about it, not just that you ticked boxes.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment