Taking into account the state of the art, the costs of implementation […] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR).
Technical measures.
Pseudonymization and encryption.
Confidentiality and integrity.
Availability, resilience.
Promptly restore and access personal data.
Frequently testing, assessing and evaluating the effectiveness of measures.
Organizational measures
Adherence to an approved code of conduct.
Adherence to an approved certification mechanism.
Natural person under authority having access to data shall process under Controller instructions only.