Article 32 of the EU’s General Data Protection Regulation (GDPR) requires organizations to implement technical and organizational measures to ensure a level of security for processing of personal data appropriate to the risk presented by the processing.  Organizations are encouraged to take into account the available technologies, costs of implementation, context of processing, the type of data, the risk involved in processing, and severity of harm presented to “the rights and freedoms of natural persons.”1

Specifically, security controls should include, as appropriate:

  • The pseudonymization and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.2

Establishing proper security controls is critical for any organization subject to GDPR.  This is especially true because covered entities have only 72 hours to notify supervisory authorities after becoming aware of a personal data breach.  Data controllers are also responsible for ensuring that any third parties that process personal data on their behalf take all security measures required by the regulation.3

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), art. 32.


Id., arts. 28, 33.

More topics in this series