DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
What's in store for DevOps in 2023? Join us today at 11 am ET for the "DZone 2023 Preview: DevOps Edition!"
Last chance to join
  1. DZone
  2. Data Engineering
  3. Data
  4. GDPR Article 32: Security of Data Processing

GDPR Article 32: Security of Data Processing

If you're curious as to how the new GDRP regulations will affect you, article 32 probably holds the answers. Read on for a quick exploration of this article's provisions.

Sven Morgenroth user avatar by
Sven Morgenroth
·
Mar. 14, 18 · Analysis
Like (5)
Save
Tweet
Share
5.25K Views

Join the DZone community and get the full member experience.

Join For Free

The EU General Data Protection Regulation (GDPR) is a regulation formulated by the European Union to strengthen and unify data protection for all individuals within the European Union (EU). It covers many subjects, such as Privacy by Design and Data Breaches. One section in particular, that applies to all those working in Information Security, is Article 32.

What Is GDPR Article 32?

Article 32 lays out a few legally binding requirements for handling customer data in a secure manner, many of which have long been considered best practice. This article is designed to help businesses keep personal data secure by requiring them to adhere to its terms. It also aims to provide practical guidelines for businesses that want to improve their security procedures. In this blog post, we break down some of the most important aspects of Article 32.

Using the Latest Available Tools and Software

According to Article 32 of the GDPR regulations, only the most recent technology will suffice when implementing appropriate technical and organizational measures. What this means is that you are required to use the newest tools and methods in order to secure customer data. Depending on the context, this can range from modern, up-to-date security tools, like web vulnerability scanners and tools for logging and monitoring, to regular staff training and strong password policies.

Databases servers, web servers, and any other type of server software used in the organization have to be up-to-date and regularly patched in order to adhere to this part of the GDPR.

Handling and Processing Personal Data

The nature, scope, and purpose of the data processing an organization performs also needs to be documented. Data must also be stored appropriately. For example, credit card data has to be handled one way, whereas email addresses will be handled a different way. Generally, the rule is that it's best to store the minimum amount data possible in order to perform a specified task.

Segregating Data

As an application of the above rule, organizations have to make sure they adjust their security measures to match the probability and severity of a breach against the potential impacts on rights and freedoms of data subjects.

This means that a breach of websites that allow the exchange of sensitive data between journalists and sources, may have a higher impact on the rights and freedoms of the affected users than the breach of a site that allows people to share cooking recipes, for example. It's vital to separate and estimate these varying risks and then apply security measures appropriate to the risk.

Minimum Compliance Requirements in Article 32

Article 32 of the GDPR regulations state that the minimum consequences arising from regulations should include the following:

  • Personal data should be pseudonymized (for example, by replacing names with unique identifiers) and encrypted where possible.
  • Ongoing confidentiality, integrity, availability, and resilience of processing systems and services must be ensured. In other words, all data should be readily available to users, and provisions should be made to ensure that it is not read or tampered with by unauthorized persons, whether accidentally or on purpose.
  • In case of a detrimental physical or technical incident, access to personal data must be able to be restored quickly. This refers to offsite backups and emergency strategies in case of unforeseen events.
  • Organizations must implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures that are designed to ensure the security of processing. In other words, organizations shouldn't blindly rely on established security measures, but proactively test them in order to see whether or not they work as intended. In the case of web applications, this would include penetration testing and regular application vulnerability scanning.

Consider All the Risks of Processing Data

Article 32 further states that organizations must consider the risks that are presented by processing personal data. These risks might take the form of accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data. It also includes how personal data is accessed, transmitted, and stored. This GDPR section closes by reiterating that only authorized persons should process data when they are required or instructed to do so.

In summary, organizations should make sure that all personal data is safely stored and only transmitted to trusted, authorized persons and third parties.

Data processing security Personal data

Published at DZone with permission of Sven Morgenroth, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • 5 Tips for Optimizing Your React App’s Performance
  • Required Knowledge To Pass AWS Certified Data Analytics Specialty Exam
  • How to Cut the Release Inspection Time From 4 Days to 4 Hours
  • Explainer: Building High Performing Data Product Platform

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: