Controllers must implement comprehensive safeguards under Article 20 and related regulations, including: 

• Data encryption (in transit and at rest) to protect data confidentiality. 

• Access controls: Role-based permissions, multi-factor authentication, and strict logical access management. 

• Cybersecurity systems: Firewalls, intrusion detection systems, malware protection, and regular vulnerability scans. 

• Physical security: Restricted access to data centers, smart ID controls, CCTV, and secure storage for physical records. 

• Personnel measures: Regular training on data protection policies, incident response, and handling procedures. 

• Incident response planning: Clear protocols for detecting, reporting, and responding to data breaches. 

• Data minimization: Limiting collection, processing, and retention to only what’s necessary. 

• Vendor management: Contracts with third parties must include PDPL-compliant security clauses and ongoing audits. 

Yes. Controllers must conduct regular risk assessments, including: 

• Risk analysis: Identifying threats and vulnerabilities tied to their processing activities. 

• Data Protection Impact Assessments (DPIAs): Mandatory for high-risk scenarios like large-scale processing, linking data sources, profiling, or using new technologies. 

• Risk mitigation: Implementing appropriate technical and organisational measures based on assessment findings. 

• Tracking risk management: Documenting the assessment, results, and mitigation steps for ongoing review. 

Controllers must prove they are actively maintaining data security by: 

• Documenting security controls: Keep records of encryption, access logs, system configurations, and training schedules. 

• Conducting regular reviews: Periodic audits, penetration tests, and internal compliance checks help uncover weaknesses. 

• Updating measures: Security controls must be amended in response to new risks, technology changes, or audit findings. 

• Maintaining logs & reports: Details of access events, incidents, and corrective actions must be logged. 

• Certifications & standards: Voluntary certifications (like ISO 27001) or internal codes of conduct show commitment to best practices.