What obligations do organizations have regarding technical and organizational measures under GDPR?

The correct choice articulates the fundamental principle underlying the General Data Protection Regulation (GDPR) concerning data security. Organizations are required to implement appropriate technical and organizational measures to ensure a level of security that is proportional to the risks associated with data processing activities. This obligation stems from Article 32 of the GDPR, which emphasizes that the measures taken should consider the nature of the data being processed, potential risks to data subjects, as well as the state of the art and the cost of implementation.

By making this a requirement, the GDPR seeks to ensure that organizations not only recognize the sensitivity of personal data but also understand that different processes may pose different levels of risk. Thus, it's essential for organizations to assess and align their security measures accordingly to prevent data breaches and protect the rights of individuals.

This obligation is not limited to merely having some security measures in place, nor does it allow organizations to completely offload responsibility for data security to third parties. Reliance on third parties for security does not absolve organizations of their obligations; they remain responsible for ensuring that appropriate protections are in effect, regardless of any external service agreements. Furthermore, the idea that there are no specific obligations related to these measures contradicts the GDPR's comprehensive framework, which explicitly lays out the expectations