GDPR Made Clear: Integrity and Confidentiality (Security)

November 24th 2025

What It Means And How To Meet It

The integrity and confidentiality principle, also known as the security principle, requires organisations to handle personal data “in a way that ensures appropriate security,” including protection against “unauthorised or unlawful processing and against accidental loss, destruction or damage” (ICO). For cultural organisations, this means putting both technical and organisational measures in place and making sure staff understand what secure handling looks like in practice.

Security isn’t just about systems – it’s about safeguarding individual rights. If personal data is lost, leaked, or accessed without permission, it can directly impact someone’s right to privacy, their ability to access services, or even their safety. The ICO is clear: security measures must be appropriate to the risks presented by your processing.

What Does The GDPR Security Principle Cover?

The GDPR security principle applies to any personal data you hold – whether it’s stored in a CRM, shared inbox, spreadsheet, or filing cabinet. It includes:

  • Preventing unauthorised access to personal data
  • Protecting data from accidental loss or corruption
  • Managing access rights and ensuring staff only see what they need
  • Keeping physical records secure and access-controlled
  • Ensuring systems are protected against malware, phishing, and other threats

Security breaches don’t just affect your organisation – they affect the people whose data you hold. That’s why the security principle is directly linked to individual rights under UK GDPR, including the right to be informed, the right of access, and the right to rectification.

What Can Organisations Do?

To meet the GDPR security principle, cultural organisations should take clear, practical steps:

  • Turn on multifactor authentication (MFA) wherever available – especially for email, cloud storage, and CRM systems.
  • Set and enforce a strong password policy – no shared passwords, no “Password123”. Make sure passwords are a combination of upper- and lower-case letters, numbers, and special characters – and implement regular password updates.
  • Never share logins, passwords, encryption keys, or access cards – even within teams. Limit access rights so staff only see the data they need for their role.
  • Lock devices and store securely when not in use.
  • Keep paperwork in lockable drawers or cupboards.
  • Train staff regularly on phishing, scams, and secure data handling.
  • Keep software updated and apply security patches promptly.
  • Use secure platforms for sharing personal data – not personal email or messaging apps.
  • Test and review your security measures regularly – don’t set and forget.

These actions don’t just reduce risk – they demonstrate accountability. And if something goes wrong, they show you took reasonable steps to protect personal data and uphold individual rights.

Final Thoughts

The GDPR security principle isn’t just about compliance – it’s about trust. Audiences, staff, and partners expect their data to be handled with care.

What’s Next?

In the final post of our GDPR principles series, we’ll explore Accountability – the principle that ties everything together. It’s about taking ownership of your data protection responsibilities and being able to demonstrate compliance through governance, documentation, and culture. We’ll look at what the UK GDPR expects and how to build a privacy-first framework that stands up to scrutiny.

Get In Touch

If you’re a cultural organisation looking for tailored support, plain English policies, or practical training that empowers your team, we’d love to help. Get in touch for a free 30-minute consultation.

Leave a Reply