Measures implemented under subsection (1) may include —
(a) pseudonymisation or other methods of de-identification of personal data;
(b) encryption of personal data;
(c) processes to ensure security, integrity, confidentiality, availability and resilience of processing systems and services;
(d) processes to restore availability of and access to personal data in a timely manner, in the event of a physical or technical incident;
(e) periodic assessments of risks to processing systems and services, including where the processing involves the transmission of data over an electronic communications network;
(f ) regular testing, assessing, and evaluation of the effectiveness of the measures implemented against current and evolving risks identified; and
(g) regular updating of the measures and introduction of new measures to address shortcomings in effectiveness, and accommodate evolving risks.