32. The elements necessary to implement the principle of integrity, confidentiality and availability include—

(a)  having an operative means of managing policies and procedures for information security;

(b)  assessing the risks against the security of personal data and putting in place measures to counter identified risks;

(c)  processing that is robust to withstand changes, regulatory demands, incidents, and cyber-attacks;

(d)  ensuring only authorised personnel have access to the data necessary for their processing tasks;

(e)  securing transfers shall be secured against unauthorised access and changes;

(f)  securing data storage from use, unauthorised access and alterations;

(g)  keeping back-ups and logs to the extent necessary for information security;

(h)  using audit trails and event monitoring as a routine security control;

(i)  protecting sensitive personal data with adequate measures and, where possible, kept separate from the rest of the personal data;

(j)  having in place routines and procedures to detect, handle, report, and learn from data breaches; and

(k)  regularly reviewing and testing software to uncover vulnerabilities of the systems supporting the processing.