GDPR Article 32: Security of Data Processing

The EU General Data Protection Regulation (GDPR) is a regulation formulated by the European Union to strengthen and unify data protection for all individuals within the European Union (EU). It covers many subjects, such as Privacy by Design and Data Breaches. One section in particular, that applies to all those working in Information Security, is Article 32.

What Is GDPR Article 32?

Article 32 lays out a few legally binding requirements for handling customer data in a secure manner, many of which have long been considered best practice. This article is designed to help businesses keep personal data secure by requiring them to adhere to its terms. It also aims to provide practical guidelines for businesses that want to improve their security procedures. In this blog post, we break down some of the most important aspects of Article 32.

Using the Latest Available Tools and Software

According to Article 32 of the GDPR regulations, only the most recent technology will suffice when implementing appropriate technical and organizational measures. What this means is that you are required to use the newest tools and methods in order to secure customer data. Depending on the context, this can range from modern, up-to-date security tools, like web vulnerability scanners and tools for logging and monitoring, to regular staff training and strong password policies.

Databases servers, web servers, and any other type of server software used in the organization have to be up-to-date and regularly patched in order to adhere to this part of the GDPR.

Handling and Processing Personal Data

The nature, scope, and purpose of the data processing an organization performs also needs to be documented. Data must also be stored appropriately. For example, credit card data has to be handled one way, whereas email addresses will be handled a different way. Generally, the rule is that it's best to store the minimum amount data possible in order to perform a specified task.

Segregating Data

As an application of the above rule, organizations have to make sure they adjust their security measures to match the probability and severity of a breach against the potential impacts on rights and freedoms of data subjects.

This means that a breach of websites that allow the exchange of sensitive data between journalists and sources, may have a higher impact on the rights and freedoms of the affected users than the breach of a site that allows people to share cooking recipes, for example. It's vital to separate and estimate these varying risks and then apply security measures appropriate to the risk.

Minimum Compliance Requirements in Article 32

Article 32 of the GDPR regulations state that the minimum consequences arising from regulations should include the following:

• Personal data should be pseudonymized (for example, by replacing names with unique identifiers) and encrypted where possible.
• Ongoing confidentiality, integrity, availability, and resilience of processing systems and services must be ensured. In other words, all data should be readily available to users, and provisions should be made to ensure that it is not read or tampered with by unauthorized persons, whether accidentally or on purpose.
• In case of a detrimental physical or technical incident, access to personal data must be able to be restored quickly. This refers to offsite backups and emergency strategies in case of unforeseen events.
• Organizations must implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures that are designed to ensure the security of processing. In other words, organizations shouldn't blindly rely on established security measures, but proactively test them in order to see whether or not they work as intended. In the case of web applications, this would include penetration testing and regular application vulnerability scanning.

Consider All the Risks of Processing Data

Article 32 further states that organizations must consider the risks that are presented by processing personal data. These risks might take the form of accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data. It also includes how personal data is accessed, transmitted, and stored. This GDPR section closes by reiterating that only authorized persons should process data when they are required or instructed to do so.

In summary, organizations should make sure that all personal data is safely stored and only transmitted to trusted, authorized persons and third parties.