Module 9 · Appropriate technical and organisational measures (Article 32)
Security of processing is a prerequisite for compliance - most EU enforcement relates to security incidents, and failures can attract fines up to €20 million or 4% of total worldwide annual turnover. Article 32 requires the controller and processor to weigh the state of the art, costs of implementation and the nature, scope, context and purposes of processing, plus the risk, then implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Article 32 covers three domains: preventative security, incident detection and response (breach notification) and remedial security. The wording is deliberately broad so it stays future-proof - the GDPR lists results to achieve rather than a fixed checklist of technologies.
- State of the art - not necessarily the most advanced tech; weigh the consensus of security professionals.
- Costs of implementation - not necessarily the most expensive; demonstrably good management decisions.
- Appropriate measures - deliberately broad to stay future-proof; the GDPR lists results: pseudonymisation, encryption, confidentiality, integrity, resilience.
- Level appropriate to the risk - a risk-based approach; tighter controls for sensitive/special-category data (Recital 83).
- Specific suggested actions: pseudonymisation and encryption.
- Ensure ongoing confidentiality, integrity, availability and resilience.
- Ability to restore availability and access after an incident.
- A process for regularly testing the effectiveness of measures.
Security failures can attract fines up to €20 million or 4% of total worldwide annual turnover, whichever is higher. Security is a prerequisite for compliance.