According to the GDPR, personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’ principle). (See the “Integrity and confidentiality” section in the “Principles”, Part II of these Guidelines). In practice, this principle involves three main issues: integrity, confidentiality and availability

• Integrity refers to the protection of personal data “against accidental damage”, for example due to a transmission error, accidental or unauthorized modification. It thus aims at preventing any kind of event that could “corrupt” the data in any way that renders them unfit for the purposes of processing.
• Confidentiality refers to the protection of personal data “against unauthorized or unlawful processing”.
• Availability refers to the protection of personal data “against accidental loss or destruction”, for example due to the failure of a storage component.

Availability and integrity are somehow linked in the case of IoT, since only data that are adequately preserved can be made available to the data subject. Confidentiality, instead, is a more complex issue that deserves complex measures due to the pure nature of the processes involved and the risks inherent to such processes.