Common use of Practical Security Measures Clause in Contracts

Practical Security Measures. While the Contract imposes the obligation on the Processor to take “such Technical and Organisation Security Measures as are required under its own National Law to protect personal data processed on behalf of the Data Controller against unlawful forms of processing” many businesses may find it difficult to ascertain what this obligation means in practice. The obligation is a broad one and businesses will need to break this down into the classes of security measures identified in the appendix. These classes will require further practical consideration. Many international IT groups and standards bodies have looked at the area of information security and guidance of general application is available from many of the bodies referred to below (see Sources). An example of appropriate basic information security measures are set out in Annex 1 of this Implementation Guide.