Both you and your processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
These security measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.