27.
A data controller or data processor shall in processing of personal data —
(a) establish the data protection mechanisms set out under the Act and these Regulations are embedded in the processing;
and
(b) design technical and organisational measures to safeguard and implement the data protection principles.