Taking into account the state of the art, the costs of implementation […] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR).
Pseudonymization and encryption.
Confidentiality and integrity.
Promptly restore and access personal data.
Frequently testing, assessing and evaluating the effectiveness of measures.
Adherence to an approved code of conduct.
Adherence to an approved certification mechanism.
Natural person under authority having access to data shall process under Controller instructions only.