Article 32

Article 32 requires that data controllers and data processors secure consumer data using the “appropriate technical and organizational measures.”

Recommended security practices include:

• Encrypting and anonymising personal data
• Keeping processing systems and services confidential and available
• Taking steps to maintain system resiliency and integrity
• If an incident occurs, ensuring personal data access can be restored as soon as possible
• Implementing a process for security evaluation

In short, businesses under the GDPR are expected to ensure security for any personal data they process and Article 32 outlines specific guidelines for what's required.