Data Protection Act 2018
Security measures for personal data
72. (1) In determining appropriate technical or organisational measures for the purposes of section 71(1)(f), a controller shall ensure that the measures provide a level of security appropriate to the harm that might result from accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, the data concerned.
(2) A controller or processor shall take all reasonable steps to ensure that—
(a) persons employed by the controller or the processor, as the case may be, and
(b) other persons at the place of work concerned,
are aware of and comply with the relevant technical or organisational measures referred to in subsection (1).