Perhaps the most widely discussed set of compliance requirements within the GDPR (General Data Protection Regulation) are those found in Article 32.
That’s because it contains the measures that organisations must implement to prevent cyber attacks and data breaches.
In this blog, we look at how you can meet your GDPR Article 32 requirements.
What is Article 32 of the GDPR?
Article 32 of the GDPR sets out the technical and organisational measures that organisations should implement to protect the personal data that they store.
The GDPR doesn’t go into specific detail about what these processes should look like. This is because best practices – particularly when it comes to technology – change rapidly, and what is considered appropriate now might not be in a few years.
Whatever measures you adopt should adequately protect your systems from data breaches and other potential problems.
This includes incidents such as an unauthorised person (whether that’s an employee or a third party) accessing systems, or the ability for people to send sensitive information outside the organisation.
There are many other factors that go into data protection, such your level of transparency with data subjects and your purpose(s) for processing their information.
However, these are not covered in Article 32 of the GDPR, which focuses specifically on processing personal data securely.
Specifically, it states that you must identify and mitigate risks that are presented by data processing, “in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed”.
So how can you do that? Let’s take a look.
Minimum compliance requirements in Article 32
Every organisation operates uniquely and has its own risks, so there is no single set of data protection practices that work for everyone.
That’s why the GDPR requires you to implement defences that are appropriate to your circumstances and the risks that you face.
This could include:
- Pseudonymising personal data
You can do this by replacing the names and unique identifiers of data subjects with a reference number, which you can cross-reference via a separate document. This way, the information poses much less risk if it is exposed.
This is a relatively simple approach to data security, and it’s important to remember that it only helps to some extent. Indeed, if someone hacks into your systems, they may be able to find the corresponding data and identify the data subjects.
As such, some organisations might go the extra mile and encrypt personal data.
As with pseudonymisation, encrypted data is unreadable unless you have another piece of information – which, in this case, is a decryption key.
However, the extra security makes it more inconvenient to access the data, so you probably wouldn’t encrypt a database that you were using regularly.
This process is much better suited to archives, files that you only occasionally access, or data that’s in transfer.
- Measures to protect the confidentiality, integrity and availability of personal data
Confidentiality means that sensitive information is viewed only by authorised parties, integrity means that information is accurate, and availability means that information is accessible when necessary.
When it comes to confidentiality, there are two things you must look at: how to prevent criminal hackers from breaking into your systems, and how to prevent your employees from exposing sensitive information.
The first issue can be addressed with defences such as anti-malware software, staff awareness training and vulnerability scans.
Meanwhile, you can reduce the risk of insider misuse by creating strict policies on data handling.
You should place an emphasis on disposing of information properly and implementing appropriate defences when data is stored in the Cloud. Likewise, you should adoptas measures to prevent employees from misusing information maliciously.
Data integrity can be ensured with measures such as access controls and audit trails, and data availability with a robust BCMS (business continuity management system).
- Measures to restore data in the event of a disruption
In the event of a physical or technical incident that affects your ability to operate, you must be capable of restoring access to personal data promptly.
You can do this by creating and regularly maintaining off-site backups, which will prevent data loss. This should be complemented by an incident response plan, which ensures that you can switch to backups with minimal delay.
- Regularly test the effectiveness of these measures
You must be confident that the technical and organisational measures that you’ve adopted continue to work as intended.
This might be a problem if the organisational structure has changed, rendering certain processes no longer relevant.
Alternatively, a review of your measures might reveal that a process isn’t being followed properly, the technology is faulty or the risk has evolved.
Whatever the issue might be, you must regularly test any technical or organisational measure that you adopt. This might come in the form of an audit, a vulnerability scan or a penetration test, for example.
GDPR Article 32 checklist
To help you stay on top of your Article 32 obligations, the UK’s data protection authority, the ICO (Information Commissioner’s Office), has created a compliance checklist.
- Review the state of the art and costs of implementation when considering information security measures.
- Create an information security policy to keep track of technical and organisational measures.
- Create additional, specific policies to address information security measures.
- Regularly review policies to ensure they work as intend, and improve them where possible.
- Implement basic technical controls such as those specified by established frameworks such as Cyber Essentials.
- Assess whether new measures need to be implemented if the circumstances of data processing change.
- Implement measures to protect the confidentiality, integrity and availability of personal data.
- Implement measures to restore access to personal data in the event of disruption.
- Regularly rest and review technical and organisational measures, highlighting areas for improvement.
- Where appropriate, implement measures that adhere to an approved code of conduct or certification mechanism.
- Ensure that any data processor also implements appropriate technical and organisational measures.
How we can help you achieve GDPR compliance
Are you looking for independent assurance that your data protection practices meet the GDPR’s Article 32 requirements?
If so, our GDPR Audit Service is the ideal solution. We will audit your organisation, identifying areas of non-compliance and providing recommendations for how you can improve.
We will then provide you with a detailed report containing our findings.
It will highlight areas where you at greatest risk, as well as prioritised recommendations to help you develop a plan of action.
A version of this article was originally published on 28 September 2020.
