An organization’s overall security posture, including its choices of security solutions, that demonstrate whether its commitment to security is commensurate with the risk and magnitude of harm resulting from loss, unauthorized access, or mutation of the data. Falling below an adequate level of protection might give grounds to a lawsuit alleging negligence.

The GDPR narrowly defines “adequate level of protection” as a European Commission decision that a non-EU country offers a similar level of protection for personal data as the EU for the purposes of cross-border data transfers.