Article 32

Security of processing

1.   Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:


the pseudonymisation and encryption of personal data;


the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;


the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;


a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2.   In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3.   Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

4.   The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

What does it mean?

Technical and organisational security measures are terms often used within the context of the GDPR.

A technical measure could be using antivirus software for malware detection on your computer or using video cameras to deter criminals. Both antivirus software and video cameras can help a company to maintain an appropriate level of security of the personally identifiable information that your company is processing.

An organisational measure could be processes, procedures or training of employees in best practices. Organisational measures are essential to implement in minor organisations as these often have fewer technical resources available to implement technical measures. Technical measures often require more specialised knowledge to implement appropriately.

The GDPR states that you need to implement ‘appropriate’ technical and organisational measures; in this regard, the meaning of ‘appropriate’ is a crucial term to understand for your compliance with the GDPR.

You will only know what is appropriate measures when you have assessed the risks of your organisation’s processing of personal data. So, you need to do a risk assessment. 

Based on the results of your risk assessments, you will know what threats and potential consequences your organisation faces. Afterwards, it is essential to mitigate these risks by adopting ‘appropriate’ organisational and technical measures.

The risk assessment clarifies the risks that your processing of personal data exposes. Based on the identified risks, you should assess what level of risk you are willing to accept. 

Generally speaking, your appropriate security measures should increase when processing increasingly sensitive personal information, several kinds of personal information, and when the volume of data subjects increases. 

Unfortunately, there is no one-size-fits-all when setting an appropriate level of security for the risk, and there are no shortcuts. Fortunately, this is also an advantage as it allows you to implement the security measures most suitable to your needs.

If your data is encrypted, unauthorised persons will not be able to read the information if it is stolen. This property makes encryption a recommended security measure in the GDPR.

Everything you can read in this article is in a readable format called “plain text”. If the content were encrypted, the text would be unreadable for both the reader and the computer. Thus, encryption would ensure the confidentiality of this information.

The content would only be readable when the encryption is removed, done with an encryption key. An encryption key is a kind of ‘password’ that gives access to the content. 

The encryption key connects the plain text and the encrypted text. 

Encryption is crucial for information security, especially in the banking sector, where digital money is transferred between banks. Encryption ensures that these transfers can be performed safely without disclosing your information to third parties.

The three terms Confidentiality, Integrity and Availability are parts of an information security framework used to analyse the risks associated with data processing. 

The framework is used in most risk assessment frameworks, and the wording of Article 32(1)(a) hints to us that we need to do a risk assessment.

Confidentiality means that information must be protected against unauthorised access or disclosure so that it cannot be made known to unauthorised parties. This may involve, for example, protection against hackers or avoiding sending e-mails to the wrong recipients.

Availability refers to the protection of information against unauthorised access by persons who have the right to access it. If you cannot access personal data in your online bank, for example, this can have negative consequences for you – you may not be able to pay a bill on time.

Integrity refers to protecting information from unauthorised modification or destruction. The information must be accurate, as this is the basis for processing data, e.g. if errors are made in the payment of wages, an employee may risk missing or losing their pay.

As a data controller or data processor (i.e. any business owner), you must ensure that your employees have been instructed on how to process personal data. This hints that you must have processes and procedures to handle personal data carefully.

The record of processing activities contains a list of the processes that should have instructions for employees. 

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.



Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!