Security of Processing
Plain English Translation
GDPR Article 32 requires organizations to implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure. This involves assessing risks and applying security controls like encryption, access management, and backups to ensure the confidentiality, integrity, availability, and resilience of processing systems. Organizations must also regularly test and evaluate the effectiveness of these security requirements to demonstrate GDPR Article 32 compliance.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Enable encryption at rest and in transit (TLS) for all databases and communications.
- Implement multi-factor authentication (MFA) and basic role-based access control (RBAC).
- Configure automated daily backups for critical systems storing personal data.
Required Actions (scaleup)
- Establish formal vulnerability scanning and a structured patch management cycle.
- Implement centralized logging and alerting for suspicious activity across the infrastructure.
- Conduct regular disaster recovery testing and table-top exercises to validate incident response.
Required Actions (enterprise)
- Deploy advanced threat protection and Data Loss Prevention (DLP) to monitor data exfiltration.
- Automate infrastructure as code (IaC) security checks in the CI/CD pipeline.
- Conduct continuous compliance monitoring and annual independent penetration testing.
It requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks. This includes protecting personal data from unauthorized access, accidental loss, and destruction to maintain overall security of processing.
These are context-specific security controls tailored to the organization's risk level. Examples include encryption, pseudonymization, multi-factor authentication, regular security testing, and robust access management policies.
While not strictly mandated in every single case, Article 32 explicitly highlights the pseudonymisation and encryption of personal data as appropriate measures to mitigate risks, making it highly recommended for compliance.
Organizations must conduct risk assessments considering the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the severity of potential harm to data subjects if a breach occurs.
Organizations should enforce the principle of least privilege using role-based access control, require multi-factor authentication, and perform regular user access reviews to meet GDPR access control requirements under Article 32.
Organizations must have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. This necessitates reliable backups and a tested business continuity and disaster recovery plan.
Article 32 requires a process for regularly testing, assessing, and evaluating the effectiveness of security measures. This typically involves continuous vulnerability scanning, regular penetration testing, and periodic internal audits.
Organizations should maintain an information security policy, risk assessment reports, evidence of encryption, backup logs, access control reviews, and results from security testing and table-top exercises to demonstrate GDPR Article 32 compliance. Tools like WatchDog Security's Compliance Center can centralize this evidence, link it to the control, and support audit-ready reporting over time.
Both controllers and processors share the direct legal obligation under Article 32 to implement appropriate security measures. Processors must securely process data on behalf of the controller and assist them in ensuring overall compliance.
Common gaps include failing to encrypt sensitive personal data, poor access controls leading to unauthorized disclosure, lacking multi-factor authentication, and failing to patch known vulnerabilities promptly.
GDPR Article 32 is often difficult to evidence because security measures span multiple teams and systems. Tools like WatchDog Security's Compliance Center can map required safeguards to control owners, automate evidence collection where feasible, and highlight gaps so security and compliance teams can track progress over time.
Regular testing and evaluation under Article 32 often depends on consistent vulnerability intake, triage, and remediation reporting. Tools like WatchDog Security's Vulnerability Management can ingest findings from multiple scanners, support triage workflows, and provide MTTR analytics to help demonstrate that vulnerabilities are tracked and resolved in line with risk.
"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-23 | WatchDog Security GRC Team | Initial publication |
