GDPR Article 32: Security of Processing

Vimal Mohan

Vimal Mohan

Jul 27, 2022

If your organization processes personal data, the General Data Protection Regulation (GDPR) requires you to present a security posture that can protect the data in your business environments from cyber-attacks.

GDPR Article 32 talks about setting up controls and policies to deploy this line of defence required to ensure data security. But while the requirement is mandatory, GDPR doesn’t mandate a list of things to follow! So, how do you know if your deployed measures meet the requirements or not?

This article will help you navigate through this ambiguity and become GDPR compliant.

Article 32 GDPR- Security of Processing

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the GDPR controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

What is Article 32 of the GDPR?

Article 32 of GDPR requires any organization processing user data of individuals from the European Union (EU) to implement safeguards in place to ensure data protection. These safeguards could include physical and technical measures.

However, it does not prescribe a checklist of things to do.  That’s because technology is constantly evolving. Hence, recommending security measures that always remain unbeatable and protect from cyber attacks is not possible.

However, GDPR Article 32 Security of Processing is where the focus is on. 

What does that translate to?

What is your organization doing to protect user data and what are the levels of security measures you’ve deployed to protect data from a cyber attack, or protect it from data theft in physical forms?

Is this open to interpretation? Let’s find out.

GDPR Article 32 Requirements

To be compliant with GDPR Article 32 requirements businesses must deploy several measures to ensure data protection. Here’s a step-by-step description of what you can do to get started in your compliance journey.

Step 1:
Have a state-of-art security stack in place and review the infrastructural costs involved to deploying it. What’s State-of-Art? We’ve explained that in the section ‘Article 32 GDPR Compliance Description’.

To do: Analyse the current products available in the market and do your due diligence on versions, add ons, and update frequency among other things before picking the best security tool that’s applicable for your business. 

Step 2:
Draft your organization’s internal policies and safeguards that focus on addressing the issues that commonly arise with infosec.

Step 3:
Continuously run checks to ensure that the measures deployed are working to your desired expectations.

To do: Run periodic audits and compare the security posture of the current audit report with previous ones to look for instances that could become vulnerabilities.

Step 4:

Look for gaps to analyze whether new reforms are required to boost your current security posture to get it to maximum efficiency.

Step 5:

Market leaders such as Cyber Essentials have listed a set of technical controls that need to be implemented. Get started on that.

Step 6:

Run organization-wide audits to look for gaps and areas that require security strengthening.

Step 7:

Ensuring data integrity, data security, and data confidentiality is essential. According to the nature of the data you process and your organization’s risk assessment,  deploy appropriate measures.

Step 8:

Always have backup systems to gain access to personal data during data loss.

Step 9:

When in doubt about what measures to implement, it is advisable to take inspiration from a globally accredited mechanism and adhere to its guidelines.

Step 10:

If you are a data controller, ensure that all the data GDPR processors in your business ecosystem are GDPR compliant and use the protocols required to ensure data integrity.

Article 32 GDPR Compliance Description

Article 32 of GDPR states that every organization (you), to become or remain GDPR compliant, must ensure continued alignment with these requirements:

*You must ensure that every data set that enters your system is pseudonymized or encrypted.

*Your processing systems must maintain a strong posture continuously towards access, integrity, confidentiality, and availability.

*Continuously test to ensure the safeguards deployed are working at maximum efficiency.

Adding to that, every organization that acts as a data controller must document their evaluation of the requirements as mentioned earlier against these criteria:

State of the Art

This evaluation reflects the most advanced tools available for use. For example, tools could be purpose-built with multiple add-ons. Or a feature can ensure unauthorized access to personal data is flagged and restricted access to said data. Another feature automatically notifies the team members tasked with data protection on such occurrences.

Define the scope of data processing

Your evaluation should contain information on why data is collected, the list of legal ways you collect data, the nature of the data you collect, and the context in which it is used.

Cost

The evaluation should include the costs you’ve estimated your organization would have to invest in attaining a security posture that justifies your risk profile.

Article 32 GDPR Compliance Methods

To become/remain compliant with GDPR Article 32, your organization must continuously present a posture where all the technical safeguards mentioned below are in ‘green’.

  • Log changes to data
  • Every change in a data set must be tracked by a ticketing system. This shows the auditor that every instance where data was changed is trackable, back to the source of the request and the particulars of the request.
  • Data Visibility and Segmentation:
  • You have complete visibility over your business environment. As a controller, you should record and document particulars of the volume of data stored, a list of locations it is stored at, and a record of all the types of data storage resources (cloud, on-prem, portable devices) used. A segmentation of the type of data collected and their associated risk levels should be in place.
  • Measures to prevent data loss:
  • Your organization should be equipped to prevent a data breach to the best of its abilities to data stored in storage units, data in use across teams, or data in endpoint devices. Your measures should work against block attacks, unauthorized use of privileges, web-based requests from bad actors, or any other unusual activities in your ecosystem that could lead to a data breach.
  • Data Masking Process:
  • Include systems required to ensure that personal data is encrypted or goes through a robust pseudonymization process. 
  • Protect Data
  • Ensure that data integrity is not compromised when it is reconciled, queries are whitelisted, or when it is transferred overseas.
  • Enforce strict regulations between different business functions to ensure data integrity and processing guidelines.
  • Secure archives
  • In a data breach, archives are your map to help you locate the affected systems and assess the volume of damage incurred. Secure your archives from instances that could lead to permanent archive data loss or tampering with archived data.
  • Sensitive data must be protected with extra measures to prevent unauthorized access. Setting up trigger alarms is an excellent first-contact response. 
  • Have a system in place that focuses on educating your users about the rights that they are entitled to under the GDPR guidelines.
  • Map the data access points
  • VIP Data Privacy
  • Access to sensitive and critical user data should only be accessible by a select few who are trained to access that data and process it the right way. This authorization-based access to user data should apply to data used/stored in any part of your business ecosystem.

GDPR Article 32 checklist

Here’s a jargon-free version of a GDPR Article 32 checklist you can use to ensure that you check all the boxes in the checklist to become compliant with Article 32.

  1. Conduct a Risk Assessment
    •  Analyze the risk level
    •  Identify the best practices based on risk level
  2. In the evaluation stage, consider the cost of implementation and State of the Art.
  3. Drafted an internal infosec policy and deployed measures to ensure that they are implemented.
  4. Have you deployed additional measures and controls to ensure data integrity wherever applicable.
  5. Do you continuously review your security posture and measures implemented and make improvements where needs arise?
  6. Do you implement security measures based on the outcome you wish to achieve?
  7. Do you understand that you might have to implement new technical and organizational measures based on the data you process?
  8. Do you use encryption, hashing, or pseudonymization wherever applicable to protect data.
  9. Do you agree that the Confidentiality, Availability, and Integrity requirements are understood for the data you process?
  10. In the event of a breach, do you have the means to ensure that backup systems restore severed access to data.
  11. Do you conduct tests regularly and continuously to test if our security measures are working effectively? And when you notice an improvement opportunity to strengthen our measures, are you proactive?
  12. Do you mandate every processor working with us to lay down appropriate measures to protect data?

GDPR, with its chapters and articles, lays guidelines for businesses to follow to ensure data protection. Unfortunately, businesses spend a lot of time and resources getting these recommended requirements in place to become/remain compliant. The process is time-taking, inefficient, and prone to error. All these three flaws could lead to non-compliance and hefty administrative fines.

At Sprinto, we help organizations in their compliance journey by introducing automation in the heart of the process.. Automation ensures that every aspect of GDPR related to technology and security runs on autopilot with little to no need for human intervention. And the other elements that involve your legal team are also taken care of reminding you about it when the need for action arises. Talk to us today to see how we can help make your compliance process efficient and easy.

FAQ

What is Article 32 of GDPR?

The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

Vimal Mohan

Vimal Mohan

Vimal is a Content Lead at Sprinto who masterfully simplifies the world of compliance for every day folks. When not decoding complex framework requirements and compliance speak, you can find him at the local MMA dojo, exploring trails on his cycle, or hiking. He blends regulatory wisdom with an adventurous spirit, navigating both worlds with effortless expertise

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.