GRCWatch
Sign inStart free trial

GDPR A5-06: Integrity and Confidentiality of Personal Data

GDPR Article 5(1)(f) mandates that personal data be processed with integrity and confidentiality through appropriate security measures. This control is foundational to GDPR compliance, requiring organisations to implement both technical and organisational safeguards against unauthorised processing, accidental loss, destruction, and damage. Without robust controls here, you risk significant fines and reputational damage.

What this means

This control requires you to process personal data securely using technical measures (encryption, access controls, monitoring) and organisational measures (policies, training, incident response procedures). The standard is 'appropriate' security—meaning proportionate to the risk level and data sensitivity. You must protect against: unauthorised or unlawful processing; accidental or unlawful destruction; accidental loss or damage; and unauthorised disclosure or access.

How to comply

  1. 1.Classify personal data by sensitivity level and identify corresponding security requirements
  2. 2.Implement encryption for data at rest and in transit, especially for high-risk categories
  3. 3.Establish role-based access controls (RBAC) limiting processing to authorised personnel only
  4. 4.Deploy monitoring and logging systems to detect unauthorised access attempts
  5. 5.Conduct regular vulnerability assessments and penetration testing
  6. 6.Document all technical and organisational security measures in your data protection impact assessments (DPIAs)
  7. 7.Create and enforce a data security policy covering employee access, third-party handling, and incident response
  8. 8.Train staff on data handling procedures and security protocols annually
  9. 9.Establish backup and disaster recovery procedures to prevent accidental loss or destruction
  10. 10.Define clear incident response procedures and maintain breach notification readiness

Evidence auditors look for

  • Encryption certificates and technical specifications for data at rest and in transit
  • Access control matrices and role definitions limiting processing rights
  • System audit logs and access logs showing monitoring in place
  • Vulnerability assessment reports and remediation records
  • Data Protection Impact Assessment (DPIA) documenting security measures
  • Data security policy and processing guidelines
  • Staff training records and completion certificates
  • Backup and disaster recovery test results and schedules
  • Incident response plan and breach notification procedures
  • Third-party data processing agreements (DPAs) with security requirements

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates encryption inventory, access control audits, and backup testing schedules—eliminating manual tracking and providing real-time evidence of your integrity and confidentiality controls for GDPR audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR A5-01: Lawfulness, Fairness, TransparencyGDPR A32: Security of ProcessingGDPR A33: Breach NotificationISO 27001 A9.2: User Access ManagementISO 27001 A10.1: CryptographyNIST 800-171 3.4.1: Authorisation Mechanisms