27
2019
Data Protection
No.
of erasing or rectifying, restrict its processing and inform
the data subject within a reasonable time.
41. (1) Every data controller or data processor shall
implement appropriate technical and organisational
measures which are designed—
(a) to implement the data protection principles in an
effective manner; and
(b) to integrate necessary safeguards for that purpose
into the processing.
(2) The duty under subsection (1) applies both at the
time of the determination of the means of processing the
data and at the time of the processing.
(3) A data controller or data processor shall
implement appropriate technical and organisational
measures for ensuring that, by default, only personal data
which is necessary for each specific purpose is processed,
taking into consideration—
(a) the amount of personal data collected;
(b) the extent of its processing;
(c) the period of its storage;
(d) its accessibility; and
(e) the cost of processing data and the technologies
and tools used.
(4) To give effect to this section, the data controller or
data processor shall consider measures such as—
(a) to identify reasonably foreseeable internal and
external risks to personal data under the person’s
possession or control;
(b) to establish and maintain appropriate safeguards
against the identified risks;
(c) to the pseudonymisation and encryption of
personal data;
(d) to the ability to restore the availability and access
to personal data in a timely manner in the event of
a physical or technical incident;
(e) to verify that the safeguards are effectively
implemented; and
Data protection by
design or by
default.
!