Security is not mandatory under the GDPR , but it is recommended. That is, you are responsible for your client’s data, so taking precautions to make sure the data cannot be accessed by unauthorized people is advisable. Also, if you choose not to implement any protection measures, you will need to explain the reasoning behind your choice.
You will often see the saying “security by design and by default”. This supports the idea that it should be a part of the core of your organization. Expectations are businesses will implement current best practices, but no specific security methods are recommended. Each company will need to decide what is the best method for their needs. Methods suggested by the GDPR include encryption and pseudonymisation, tokenization, frequent testing to verify the effectiveness of the security methods, measures that allow the restoration of personal data in case of a data breach and measures that ensure the resilience of systems and services that process data. Failures are susceptible to fines.