Article 32 requires that data controllers and data processors secure consumer data using the “appropriate technical and organizational measures.”
Recommended security practices include:
- Encrypting and anonymising personal data
- Keeping processing systems and services confidential and available
- Taking steps to maintain system resiliency and integrity
- If an incident occurs, ensuring personal data access can be restored as soon as possible
- Implementing a process for security evaluation
In short, businesses under the GDPR are expected to ensure security for any personal data they process and Article 32 outlines specific guidelines for what's required.