Article 30 1. g) of the GDPR requires that "a general description of the technical and organizational security measures referred to in Article 32(1) be included in the register as far as possible".

Each controller or processor has an obligation under Articles 5 1. f) and 32 of the GDPR to ensure the security of data by measures appropriate to the level of risk.

What is a security measure? It's any measures necessary to ensure the security and confidentiality of personal data. It can be, for example, physical security measures such as the security of access to the premises or computer security measures such as the installation of an antivirus, a binding password for access to data, etc.

For each processing of personal data, it's necessary to take appropriate measures to guarantee a level of security adapted to the risk for the rights and freedoms of the persons concerned (invasion of privacy, discrimination etc.). The risk should not be assessed in relation to the company but in relation to the person concerned by the processing.

Guaranteeing security means guaranteeing the confidentiality, integrity and availability of data. Security measures must therefore prevent illegitimate access to data, unwanted modification of data and the disappearance of data.

To ensure that the measures are adapted to the risk, these risks must be assessed. For this purpose, the potential impacts on data security, the sources of the risks, the feasible threats and whether the existing measures are sufficient must be identified. If not, they must be increased.