A data controller and data processor shall implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful destruction, loss, misuse, alteration, unauthorised disclosure, or access, taking into account —

(a) the amount and sensitivity of the personal data;

(b) the nature, degree and likelihood of harm to a data subject that could result from the loss, disclosure, or other misuse of the personal data;

(c) the extent of the processing;

(d) the period of data retention; and

(e) the availability and cost of any technologies, tools, or other measures to be implemented relative to the size of the data controller or data processor.