Article 32

Article 32 requires that data controllers and data processors secure consumer data using the “appropriate technical and organizational measures.”

Recommended security practices include:

  • Encrypting and anonymising personal data
  • Keeping processing systems and services confidential and available
  • Taking steps to maintain system resiliency and integrity
  • If an incident occurs, ensuring personal data access can be restored as soon as possible
  • Implementing a process for security evaluation

In short, businesses under the GDPR are expected to ensure security for any personal data they process and Article 32 outlines specific guidelines for what's required.