graphgrc

GDPR - Article 32

Security of processing

Article 32.1

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Article 32.2

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Article 32.3

Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

Article 32.4

The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Controls:

• ACC-01: Identity & Authentication ^[Multi-factor authentication and phishing-resistant methods are technical measures to ensure security of processing]
• ACC-02: Least Privilege & RBAC ^[Least privilege and RBAC are technical and organizational measures ensuring security appropriate to risk]
• ACC-03: Access Reviews ^[Periodic access reviews are an organizational measure to ensure security of processing]
• ACC-04: Privileged Access Management ^[Enhanced controls on privileged access (MFA, monitoring, break-glass procedures) ensure security appropriate to high risk]
• DAT-01: Data Classification ^[Data classification is an organizational measure enabling appropriate security based on risk and data sensitivity]
• DAT-02: Encryption ^[Encryption of personal data is explicitly listed as an appropriate technical measure to ensure security of processing]
• DAT-04: Data Privacy (GDPR Compliance) ^[Technical and organizational measures ensure security of processing throughout data lifecycle]
• END-01: Device Management (macOS MDM) ^[MDM enforcement of encryption, screen locks, and updates are technical measures ensuring security of processing]
• END-02: Endpoint Protection ^[Endpoint protection (EDR, antivirus, encryption, USB restrictions) are technical measures ensuring security of processing]
• END-03: Software Updates ^[Regular security updates and patch management ensure ongoing security of processing systems]
• GOV-01: Security Policies ^[Policy framework ensures implementation and maintenance of appropriate technical and organizational security measures]
• GOV-02: Risk Assessment ^[Risk assessment determines appropriate technical and organizational measures based on risk level]
• INF-01: Cloud Security Configuration (AWS) ^[Secure cloud infrastructure configuration (VPCs, Security Groups, IAM) are technical measures ensuring security of processing]
• INF-02: Network Security ^[Network security controls (firewalls, segmentation, monitoring) ensure security appropriate to risk]
• INF-03: Logging & Monitoring ^[Logging and monitoring enable detection of, and ability to respond to, security incidents affecting personal data]
• INF-04: Backup & Recovery ^[Backup and recovery capabilities ensure resilience and ability to restore availability and access to data after incident]
• OPS-01: Change Management ^[Controlled change management ensures ongoing security and prevents unauthorized changes affecting personal data processing]
• OPS-02: Vulnerability Management ^[Regular vulnerability assessment and remediation ensure ongoing security appropriate to risk]
• OPS-04: Business Continuity ^[Business continuity and disaster recovery ensure resilience and ability to restore availability of personal data]
• PEO-01: Background Checks ^[Background checks are organizational measures ensuring trustworthy personnel handle personal data]
• PEO-02: Security Training ^[Security awareness training is an organizational measure ensuring personnel understand data protection obligations]
• PEO-03: Offboarding ^[Offboarding procedures ensure terminated employees can no longer access personal data]

This site is open source. Improve this page.