Article 32 of GDPR: Security of Processing
Article 32 of GDPR requires that companies implement proper security measures to protect personal data so as to minimize the risk of any adverse consequences to data subjects.
Implement security measures appropriate to the risk (Article 32(1) GDPR)
Companies should implement appropriate security measures to protect individuals’ rights and freedoms along with minimizing risk to the data subject.
Data controllers and data processors should consider the appropriate level of security measures based on:
- The state of the art in the field of security and technology
- The cost of implementation of the appropriate security measures
- Nature of processing
- Scope of processing
- Context of processing
- Purpose of processing
- Risk to data subjects
Companies can protect personal data by implementing any of the following measures:
- Pseudonymisation and encryption of personal data (Article 32(1)(a) GDPR)
- Ensure personal data confidentiality, integrity, availability and resilience of processing systems (Article 32(1)(b) GDPR)
- Restoration of the data and access to personal data in a timely fashion should there be an incident of any kind (Article 32(1)(c) GDPR)
- Ongoing testing and evaluation of the effectiveness of the security measures implemented (Article 32(1)(d) GDPR)
Risks to be considered by organizations (Article 32(2) GDPR)
In the context of their assessment as to the appropriate level of security measures, companies should consider the following risks associated with the processing of personal data:
- Accidental destruction of data
- Unlawful destruction of data
- Loss of data
- Alteration of data
- Unauthorized disclosure of data
- Unauthorized access to data
Approved code of conduct or certification (Article 32(3) GDPR)
Companies can prove and establish their compliance with their obligations under Article 32 of GDPR by adhering to an approved code of conduct or obtain approved certifications.
Authorization of individuals having access to personal data (Article 32(4) GDPR)
Individuals having access to personal data and working under the authority of the data controller or data processor must only process the data based on the data controller’s instructions.
Any other processing by these individuals will be a violation of GDPR.
Recitals applicable to Article 32 of GDPR
Relevant Recitals: 75, 76, 77, 78, 79, 83
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 32 or relevant recitals
GDPR Text: Article 32 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)