Ch 6.7 - Integrity and confidentiality

Integrity and confidentiality

Article 5(1)(f) - integrity and confidentiality (the 'security principle') - requires processing in a manner that ensures appropriate security, including protection against unauthorised/unlawful processing and accidental loss, destruction or damage, using appropriate technical and organisational measures. The GDPR promotes pseudonymisation and encryption; controllers may also use standards like ISO/IEC 27001 or NIST. Extra care is needed for sensitive (special category) data.

The security principle requires appropriate technical and organisational measures to protect data against unauthorised or unlawful processing and against accidental loss, destruction or damage. It protects data across its whole life cycle, so controllers must budget for security teams and frameworks.

GDPR-promoted techniques: pseudonymisation and encryption.
Recognised frameworks: ISO/IEC 27001, NIST.
Sensitive (special category) data warrants additional protective measures.
Consider the potential impact on individuals a breach could cause.

The 'security principle'

Integrity and confidentiality is the only Article 5 principle squarely about security. Watch the trap of confusing the pseudonymisation it promotes with anonymisation - pseudonymous data is still personal data.

Key terms - quick answers

What is “Integrity and confidentiality”?

Article 5(1)(f) security principle: ensure appropriate security against unauthorised/unlawful processing and accidental loss, destruction or damage.

What is “Technical and organisational measures”?

The security controls (technical, e.g. encryption; organisational, e.g. policies/teams) that protect personal data.

What is “Pseudonymisation”?

Processing data so it can no longer be attributed to a person without separately-kept additional information; a recommended safeguard (but not anonymisation).

← Storage limitation Accountability and telling the principles apart →