1. The Data Processor shall ensure that, in respect of all Personal Data it receives from
or processes on behalf of the Data Controller, it maintains security measures to a
standard appropriate to:
1.1 the harm that might result from unlawful or unauthorised processing or
accidental loss, damage, or destruction of the Personal Data; and
1.2 the nature of the Personal Data.
2. In particular, the Data Processor shall:
2.1 have in place, and comply with, a security policy which:
2.1.1 defines security needs based on a risk assessment;
2.1.2 allocates responsibility for implementing the policy to a specific individual
(such as the Data Processor’s Data Protection Officer) or personnel;
2.1.3 is provided to the Data Controller on or before the commencement of
this Agreement;
2.1.4 is disseminated to all relevant staff; and
2.1.5 provides a mechanism for feedback and review.
2.2 ensure that appropriate security safeguards and virus protection are in place to
protect the hardware and software which is used in processing the Personal
Data in accordance with best industry practice;
2.3 prevent unauthorised access to the Personal Data;
2.4 protect the Personal Data using pseudonymisation, where it is practical to do
so;
2.5 ensure that its storage of Personal Data conforms with best industry practice
such that the media on which Personal Data is recorded (including paper
records and records stored electronically) are stored in secure locations and
access by personnel to Personal Data is strictly monitored and controlled;
2.6 have secure methods in place for the transfer of Personal Data whether in
physical form (for example, by using couriers rather than post) or electronic form
(for example, by using encryption);
2.7 password protect all computers and other devices on which Personal Data is
stored, ensuring that all passwords are secure, and that passwords are not
shared under any circumstances;
2.8 not allow the storage of the Personal Data on any mobile devices such as
laptops or tablets unless such devices are kept on its premises at all times;
2.9 take reasonable steps to ensure the reliability of personnel who have access to
the Personal Data;
2.10 have in place methods for detecting and dealing with breaches of security
(including loss, damage, or destruction of Personal Data) including:
2.10.1 the ability to identify which individuals have worked with specific
Personal Data;
2.10.2 having a proper procedure in place for investigating and remedying
breaches of the GDPR; and
2.10.3 notifying the Data Controller as soon as any such security breach
occurs.
2.11 have a secure procedure for backing up all electronic Personal Data and storing
back-ups separately from originals;
2.12 have a secure method of disposal of unwanted Personal Data including for
back-ups, disks, print-outs, and redundant equipment; and
2.13 adopt such organisational, operational, and technological processes and
procedures as are required to comply with the requirements of ISO/IEC
27001:2013, as appropriate to the Services provided to the Data Controller.