What is GDPR Article 32 and its requirements?


Within the GDPR (General Data Protection Regulation) you’ll find Article 32, which is well-known to those in the realm of cyber security. In this blog, we’ll unpick Article 32 and explore in detail the compliance requirements.


What is GDPR?

GDPR stands for General Data Protection Legislation and is an EU law that covers data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. One of the key sections is Article 32 of GDPR, but what does it say?


What is Article 32 of GDPR?

Article 32 (Security of processing) of the GDPR outlines the specific requirements for organisations that process personal data. It states that data controllers and data processors must implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.


GDPR Article 32 requirements

The four main GDPR Article 32 requirements are:

Pseudonymisation of personal data

Art. 32 GDPR: “The pseudonymisation and encryption of personal data”.

Essentially, this means transforming personal data by replacing names and any personal identifiers with reference numbers from a separate document. This is so if the information is exposed, it cannot be linked to a specific person because they don’t have access to the additional information/document. The document should be stored separately and securely.

Confidentiality, integrity, availability and resilience

Art. 32 GDPR: “The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”.

This principle emphasises the importance of protecting personal data from unauthorised access, disclosure, alteration, or destruction. This means implementing security controls that make sure the confidentiality, integrity, availability and resilience of your systems and services:

  • Confidentiality: Data should only be accessed when needed.
  • Integrity: Data should be accurate.
  • Availability: When needed, the data should be accessible.
  • Resilience: Protected against threats and errors.

Ability to restore personal data

Art. 32 GDPR: “The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.

If a data security incident occurs, then organisations must have processes and procedures in place to regain access to personal data quickly. This includes having backups so the data isn’t lost, and data recovery plans so you have a clear recovery path.

Testing the effectiveness

Art. 32 GDPR: “A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”.

Regular testing and evaluation of technical and organisational measures are crucial to ensure their ongoing effectiveness in protecting personal data. Some examples of ways you could do this are:

  • Penetration testing and ethical hacking
  • Vulnerability assessments
  • Incident response drills
  • Testing back-up recovery


Technical and organisational factors to consider

When organisations are implementing these measures to comply with GDPR Article 32, the following factors should be considered:

State of the art

The security measures adopted should reflect the latest technological advancements and best practices in data security.

Cost of implementation

Although the most advanced solutions might be the best, implementing them may not always be possible. The implementation costs should be considered in line with the business’s current situation and circumstances. If a specific security measure is not viable for the business, then an alternative, less expensive solution should be considered.

Nature, scope, context, and purposes of processing

The type of personal data being processed, the intended use of the data, and the context in which it’s collected all influence the level of security required, therefore should be considered before appropriate measures are selected.

Risk to the rights and freedoms of natural persons

The potential consequences of a data breach for the individuals whose data is being processed should be carefully assessed. This will help determine the appropriate level of security measures needed.


Compliance best practices for Article 32 of GDPR

Here are some methods your business can implement in order to help meet GDPR Article 32 requirements:

  • Risk assessments: Regularly evaluating the risks associated with personal data processing helps determine the appropriate security measures to implement. This assessment should consider the likelihood and impact of potential threats.
  • Data masking: Replacing sensitive data with values to reduce the risk in the event of a data breach.
  • User tracking: Monitoring user activity within systems that process personal data can help identify suspicious behaviour and potential security incidents.
  • Access control: Implementing controls to restrict access to personal data only to authorised personnel is crucial for data security. This could be things like passwords, multi-factor authentication, and access permissions.
  • Security audits: Regularly conducting security audits helps identify vulnerabilities in systems and processes that handle personal data.
  • Encryption: Encrypting personal data at rest and in transit protects it from unauthorised access even if it was exposed.
  • Incident response plans: Having a plan in place for responding to security incidents helps minimise damage and aid business continuity.


Become data secure with ISO 27001 from Citation ISO Certification

By understanding the requirements of Article 32 and carefully considering various factors, organisations can implement a robust data security framework that safeguards personal data and helps you comply with the GDPR Article 32 requirements.

With GDPR Article 32 explained, we hope you understand what’s needed from organisations in order to protect customer data. If you’re ready to become a data-secure business, then take a look at the support we offer at Citation ISO Certification. Gain ISO 27001 certification through our quick and easy three-step certification process and see how ISO 27001 can help your business achieve cyber resilience, or read our blog ‘Does ISO 27001 Cover GDPR?’.

Discover more about our ISO 27001 costs and ISO 27001 Implementation and start strengthening information security for your business right away. We’ve helped countless businesses over the years with ISO Consultancy and we’re here to do the same for you. Get in touch at 0333 344 3646 or email us at [email protected]. For more information, why not check our ISO 27001 guide?

Sign up to get the latest in your inbox

    • Email address

About the author

  • Name:

    Serena Cooper

  • Company:

    Citation ISO Certification

  • Bio:

    Serena has worked for Citation ISO Certification since 2022, writing creative and informative content on ISO certification and consultation to help businesses reach their potential.


QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only