Which factors may be considered in determining measures to process personal data securely under GDPR?

Under GDPR, choosing appropriate security measures is guided by multiple considerations to ensure actions are proportionate to the risk. The factors include the current state of the art (what tech and practices are available now), the costs of implementing the measures (ensuring measures are affordable and sustainable), and the nature, scope, context, and purposes of the processing (how sensitive the data are, how broadly they are processed, who has access, and why processing is done). In addition, the level of risk to the rights and freedoms of data subjects must be weighed. Because all of these areas can influence what measures are appropriate, the option that includes all of them is the best choice. Focusing on only one or two factors can miss other important considerations and lead to insufficient security relative to the actual risk and context.