Integrity and confidentiality

Integrity and confidentiality is one of the six processing principles set out in Art. 5(1) GDPR and is expressly labelled the security principle in point (f). Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. This is achieved through appropriate technical and organisational measures (TOMs). Confidentiality ensures that data is accessible only to authorised persons, while integrity safeguards the accuracy and completeness of data throughout its entire lifecycle.

The principle is given concrete form by Art. 32 GDPR, which governs the security of processing. Controllers and processors must ensure a level of protection appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing. The article names measures such as pseudonymisation and encryption, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems, and a process for regularly testing and evaluating the effectiveness of those measures. The required level of protection is determined by the risk to the rights and freedoms of the data subjects.

Breaches of integrity and confidentiality regularly amount to personal data breaches within the meaning of Art. 4(12) GDPR and may trigger notification duties under Art. 33 and 34 GDPR. Because the principle is part of Art. 5, an infringement falls under the higher fine tier of Art. 83(5) GDPR of up to EUR 20 million or 4 percent of total worldwide annual turnover. The accountability principle in Art. 5(2) GDPR further means that controllers must be able to demonstrate the suitability and implementation of their security measures, for example through documentation, policies and regular audits.