Data protection law requires you to process personal information securely, using appropriate technical and organisational measures but it does not define what measures to use. This is the ‘security principle’.
You must put in place technical and organisational measures to ensure your level of security is appropriate to the risk of using personal information. You must consider:
- the state of the art;
- costs of implementation; and
- the nature, scope, context and purpose of your processing.
If you plan to use a third-party moderation provider, acting as a data processor, you must choose one that provides sufficient guarantees about its security measures.