(1) A controller shall implement appropriate technical and organisational measures for the purposes of -
(a) ensuring that the processing of personal data for which it is responsible is performed in compliance with this Part, and
(b) demonstrating such compliance.
(2) A controller shall ensure that measures implemented in accordance with subsection (1) are reviewed at regular intervals and, where required, updated.
(3) The measures referred to in subsection (1) shall include the implementation of an appropriate data protection policy by the controller, where such implementation is proportionate in relation to the processing activities carried out by the controller.