Article 39.02

Measures implemented under subsection (1) may include —

(a) pseudonymisation or other methods of de-identification of personal data;

(b) encryption of personal data;

(c) processes to ensure security, integrity, confidentiality, availability and resilience of processing systems and services;

(d) processes to restore availability of and access to personal data in a timely manner, in the event of a physical or technical incident;

(e) periodic assessments of risks to processing systems and services, including where the processing involves the transmission of data over an electronic communications network;

(f ) regular testing, assessing, and evaluation of the effectiveness of the measures implemented against current and evolving risks identified; and

(g) regular updating of the measures and introduction of new measures to address shortcomings in effectiveness, and accommodate evolving risks.