Background - why security is an A-list principle
is not just one principle among many; it underpins compliance with all the others. Insecurity can trigger unlawful transfers, inaccuracy, data proliferation and real harm. Security is bound up with cybersecurity, which gives it extra prominence, and it sits in tension with state interests like national security. Crucially, the meaning of appropriate technical and organisational measures is unusually well-defined because it draws on an established body of security best practice and standards.
Security is on the data protection 'A-list' for several reasons. First, a state of security is often a prerequisite to complying with the other principles - insecurity can cause unlawful cross-border flows, embed inaccuracies, cause data proliferation, and cause distress and harms like identity theft and pecuniary loss. So absence of security can cause wholescale non-compliance across the whole GDPR framework. Security 'isn't a standalone risk but part of the fabric of every risk' that controllers and processors should track in their risk registers.
Second, serious insecurity guarantees press attention, and the personal data breach notification regime amplifies that risk. Third, insecurity uniquely combines scale and harm - breaches can affect tens of millions of people (in 2016 hackers compromised one billion user accounts at a US company), making them ripe for group litigation.
Unusually, the meaning of appropriate technical and organisational measures is 'capable of full definition' because security is a mature field of professional expertise that the law 'merely adopted rather than invented'. The ICO/NCSC paper 'GDPR security outcomes' is part of this best-practice body. Examples of enforcement: the ICO fined British Airways £20 million and Marriott International £18.4 million in 2020 for security breaches.
Security is intermingled with every other principle. Insecurity can cause non-compliance across the entire GDPR, not just a breach of the security principle in isolation.