Security principle and the risk-based approach (Article 32)
Article 5(1)(f) sets the security principle ('integrity and confidentiality'); Article 32 expands on it, requiring appropriate technical and organisational measures that fit the level of risk. It binds both controller and processor. The approach is risk-based: measures must reflect the nature of the data, foreseeable threats, the state of the art, and cost. Article 32 expressly flags pseudonymisation and encryption, and the CIA triad of confidentiality, integrity, availability plus resilience. 'Appropriate' means the GDPR does not require absolute security - a breach is not automatically a legal failure.
Article 5(1)(f) establishes the security principle: data must be 'processed in a manner that ensures appropriate security … including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage' - labelled 'integrity and confidentiality'. Article 32 expands on it, setting out what the principle requires: appropriate measures giving a level of security appropriate to the prevailing risk. Article 5(1) focuses on the processing; Article 32 is aimed at both controller and processor.
Accountability (Article 5(2)) with Article 24 requires the controller to prove compliance; Article 28(3)(h) imposes a similar proof duty on processors. Article 30 records of processing must include 'a general description of the technical and organisational security measures referred to in Article 32(1)'.
- Three domains of security under Article 32: preventative security (limit risk), incident detection and response (detect and respond; breach notification sits here), and remedial security (improve security after incidents)
- Risk assessments must reflect the nature of the data and reasonably foreseeable threats exploiting vulnerabilities
- The state-of-the-art test requires considering the consensus of professional opinion - industry best practice, not just average practice
- Cost may be considered, but ruling out a control on cost alone will not be treated favourably in enforcement
The word 'appropriate' means the GDPR does not require absolute security. A controller or processor can suffer a breach without violating the law - regulators 'cannot assume legal failure from operational failure'. Article 32(1)(a) names pseudonymisation and encryption as controls to consider; encryption became a de facto requirement through the consensus of professional opinion even though the old Directive was silent on it. Article 32(1)(b)-(d) lift the CIA triad - 'confidentiality, integrity, availability and resilience' - directly from the infosecurity industry. Article 32(3) recognises codes of conduct and certification as ways to prove compliance.
'Appropriate' ≠ 'absolute'. A security breach is not automatically a breach of the law. Regulators cannot infer legal failure purely from operational failure.