Organisational Data Protection Measures
1. The Data Processor shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Data Controller, it maintains security measures to a standard appropriate to:
1.1 the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
1.2 the nature of the Personal Data.
2. In particular, the Data Processor shall:
2.1 have in place, and comply with, a security policy which:
2.1.1 defines security needs based on a risk assessment;
2.1.2 allocates responsibility for implementing the policy to a specific individual (such as the Data Processor’s Data Protection Officer) or personnel;
2.1.3 is provided to the Data Controller on or before the commencement of this Agreement;
2.1.4 is disseminated to all relevant staff; and
2.1.5 provides a mechanism for feedback and review.
2.2 ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
2.3 prevent unauthorised access to the Personal Data;
2.4 protect the Personal Data using pseudonymisation, where it is practical to do so;
2.5 ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
2.6 have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using encryption);
2.7 password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure, and that passwords are not shared under any circumstances;
2.8 not allow the storage of the Personal Data on any mobile devices such as laptops or tablets unless such devices are kept on its premises at all times;
2.9 take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
2.10 have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:
2.10.1 the ability to identify which individuals have worked with specific Personal Data;
2.10.2 having a proper procedure in place for investigating and remedying breaches of the GDPR; and
2.10.3 notifying the Data Controller as soon as any such security breach occurs.
2.11 have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;
2.12 have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment; and
2.13 adopt such organisational, operational, and technological processes and procedures as are required to comply with the requirements of ISO/IEC
27001:2013, as appropriate to the Services provided to the Data Controller.