27. Data protection by design or default

27.

A data controller or data processor shall in processing of personal data —

(a) establish the data protection mechanisms set out under the Act and these Regulations are embedded in the processing;

and

(b) design technical and organisational measures to safeguard and implement the data protection principles.

135  PART V—ELEMENTS TO IMPLEMENT DATA PROTECTION BY DESIGN OR BY DEFAULT