Skip to content
Security calendar_today Updated: 7 April 2026 schedule 4 min read

System and Software Security - Key Principles

The software and systems you use form the foundation of your data security. This article covers the principles you need to apply to keep your systems secure.

summarize Key Takeaways
  • check_circle Keep all software up to date - most cyberattacks exploit known vulnerabilities
  • check_circle Apply the principle of least privilege: give users only the permissions they need
  • check_circle Segment your networks: your guest network should not have access to business data
  • check_circle Enable logging so you can trace what happened during an incident

Your systems are your first line of defence

The software you use, the devices you work on, and the network you connect to - together they form the foundation of your data security. If that foundation is weak, written policies won’t help much.

The GDPR requires “appropriate technical measures”. The following principles cover what you should apply to your systems and software.

Principle 1: Keep everything up to date

The majority of successful cyberattacks exploit known vulnerabilities for which a patch was already available. Installing updates is the single most effective security measure you can take.

  • Operating system - enable automatic updates on all workstations and servers
  • Browsers - always use the latest version
  • Business software - schedule regular updates for your CRM, accounting, and other tools
  • Firmware - don’t forget your router, printer, and other network devices
  • Plugins and extensions - outdated WordPress plugins or browser extensions are a common attack vector

Principle 2: Least privilege

Give users only the access they need for their work, nothing more. This limits the damage if an account is compromised.

  • Not everyone needs to be an admin
  • Create separate accounts for daily use and administration
  • Remove permissions as soon as they are no longer needed
  • Use groups or roles to assign permissions consistently

Principle 3: Segment your network

Keep different types of traffic separate:

  • Guest network separate from your business network - visitors and customers don’t need access to your internal systems
  • IoT devices on a separate network - smart devices are often poorly secured
  • Sensitive systems behind extra protection - your HR system or financial records don’t need to be reachable from every device

Principle 4: Encryption

Encrypt data both at rest and in transit:

  • In transit - use HTTPS for your website, VPN for remote workers, TLS for email
  • At rest - enable disk encryption on laptops and external storage media (BitLocker on Windows, FileVault on macOS)
  • Backups - encrypt your backups as well, especially if they are stored off-site

Principle 5: Logging and monitoring

When something goes wrong, you need to be able to trace what happened:

  • Enable logs on your most important systems
  • Retain logs long enough to investigate incidents (at least 3 months)
  • Periodically check for unusual activity
  • Ensure logs cannot be deleted by an attacker

Principle 6: Backup and recovery

A backup you can’t restore is not a backup:

  • Make daily backups of business-critical data
  • Keep at least one backup offline or at a different location
  • Regularly test whether your backups can actually be restored
  • Document your recovery procedure so you don’t have to improvise during a crisis

Apply what fits your situation

Not every business has the same security needs. An online shop with customer data has different priorities than a consultancy firm. But the principles above apply universally. Start with the basics and build from there.

auto_awesome Document your technical measures

GDPRWise helps you record which technical security measures you have in place and where improvements are needed.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.