The European Union formulated the EU General Data Protection Regulation (GDPR) to strengthen and unify data protection for all individuals living within the European Union, with transparency, compliance, and punishment being its three biggest pillars.
In this article, we’ll discuss one of the most crucial parts of GDPR, Article 32, a section that’s responsible for the security of personal data being processed, and how you can comply with its requirements.
What is GDPR Article 32 Anyway?
Here’s what the legal text (well, most of it) states about GDPR Article 32:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
To put it simply, GDPR Article 32 makes it mandatory for organizations to have technical and organizational security measures in place. These measures are based on different factors, like the degree of sensitivity of the personal data and the purpose for which it’s being acquired.
Business owners have to ensure that they fulfill the legally binding requirements and securely handle customer data. They must adopt specific processing systems that cater to these GDPR requirements by providing appropriate privacy measures via data segregation, access controls, and identity management capabilities.
Interestingly, the regulation doesn’t go into too much detail about what the precautionary processes should look like. This is mainly because of the dynamic nature of technology-based practices, which are constantly evolving, becoming better and more responsive.
Nevertheless, Article 32 compliance requirements do enough to protect customer data, giving individuals the ultimate right to decide how their information can be used.
How GDPR Article 32 Works
At the very minimum, data security measures should:
- Encrypt or pseudonymize personal data.
- Maintain ongoing confidentiality, integrity, availability, accessibility, and resilience of processing systems and services.
- Restore access to and the availability of personal data in the event of a physical or technical security breach.
- Test and evaluate the effectiveness of technical and organizational measures.
Let’s elaborate on the minimum compliance requirement in GDPR Article 32 in more detail below:
Pseudonymization of Personal Data Measures
This requirement focuses on reducing the risk in case information ever gets exposed.
It’s a simple data security approach, where you replace the names and unique identifiers of data subjects with reference numbers. You can then cross-reference this number via a separate document to keep track of your consumers.
Admittedly, pseudonymizing personal data only helps to a limited extent. If a cybercriminal successfully hacks into the corresponding data set, they’ll be able to identify your data subjects, which will defeat the whole purpose of hiding the names in the first place.
You can go the extra mile and encrypt your data, which will make it unreadable for everyone unless you have another piece of information, a.k.a. your decryption key.
Of course, adding this extra security level will prolong the steps to access the data. Keeping this in mind, it’s best to encrypt only those databases that are either in the archives, stored in devices where the risk of exposure is high, or accessed occasionally.
Protection of Confidentiality, Integrity, and Availability of Personal Data Measures
Confidentiality is the assurance that all your critical information will only be accessible to authorized parties, while integrity and availability of information refer to the assurance that the information is always accurate and the assurance the information is always viewable, respectively.
You must keep two crucial things in mind when it comes to data confidentiality:
- How to prevent hackers from getting access into your system
- How to prevent your employees from exposing sensitive information
While hackers can be controlled using anti-malware software, vulnerability scans, and staff awareness training, you can also limit insider misuse by creating strict policies concerning data handling, as well as preventing employees from misusing information.
Prompt Data Restoration Measures in Case of Any Disruptions
Suppose a physical and technical incident takes place in your system. Quick damage control is required here, where you restore access to personal data as soon as there’s a disruption.
This is why Article 32 outlines creating and maintaining offsite backups to minimize data loss. You can also have an incident response plan that lets you switch to backups with minimal delay.
Regular Testing of Effectiveness of the Adopted Measures
You have to be confident about your adopted technical and organizational measures and continue testing them to ensure they work as intended.
You must keep reviewing all your precautionary measures to discover when a process isn’t being followed properly, or which technology has become faulty.
Problems can also arise when you modify your organizational structure. Changing your system layout can bring quite a few notable changes, which, in turn, can result in specific processes becoming irrelevant.
The main idea here is to regularly test all your adopted technical or organizational measures. Our recommendation would be to schedule periodic audits, penetration tests, or vulnerability scans.
Now, let’s explore how three security features—data segregation, role-based access control, and identify management—can assist in meeting Article 32’s requirements, helping ensure security of processing.
Security Feature #1: Data Segregation
Data segregation lets you separate content into different portals to set up different access control for every type of content.
You can divide all your data by distributing users into different groups. For instance, you can have departmental groups or project-wise groups, whichever suits you best based on your requirements.
Still, this isn’t enough to meet all GDPR Article 32 requirements by itself. You need other complementing security measures in places like role-based access control, multi-factor authentication, and SSO integration.
The good news is that these measures together can really boost your system’s security, making all the effort worth it.
Security Measure #2: Role-Based Access Control
Role-based access control can work in combination with data segregation to prevent unauthorized access to data.
You can set different user roles based on an individual employee’s position, authority, and trust level. As a result, you won’t have to worry about your data being used by unauthorized eyes.
Alternatively, you can have project-specific or department-wise user groups or multiple autonomous portals to meet GDPR requirements using data segregation capabilities for teams not confined to a specific user role.
Security Measure #3: Identity Management
Having an identity management system is another great tactic to ensure only authorized and relevant users can access your data so that everything is in compliance with Article 32 requirements.
You can use single sign-on integration to protect customer identities. This integration supports multiple authentication providers like directory services (AWS, Azure Active Directory, etc.), Identity Access Management (IAM) services (OneLogin, Okta, etc.), and third-party login services (Facebook, Google, etc.), which restricts hackers from entering your databases.
Furthermore, experts found that while 56% of Europeans have experienced some kind of fraud, 1/3 of them have faced identity theft. This sheds light on how important identity management is for every organization—more so, for those who deal with sensitive information.
How to Get Started With GDPR Article 32
GDPR Article 32 is definitely a positive development from a customer’s perspective. Business owners have to take several data privacy measures to ensure compliance and avoid penalties, ensuring client data is protected to the best possible measures.
Let’s take a look at what you need to do to meet GDPR Article 32 requirements.
- Step 1: Review the state of art (an evaluation of the recently released and advanced data security and privacy enhancement tools) and cost of implementation when considering information security measures.
- Step 2: Make an information security policy and other specific policies to track technical and organizational measures and address information security measures.
- Step 3: Regularly review adopted policies to ensure they keep working as you want them to. You should always look for improvement opportunities whenever possible.
- Step 4: Analyze whether new measures have to be implemented to boost efficiency.
- Step 5: Implement basic technical controls as specified by established frameworks like Cyber Essentials.
- Step 6: Test and review technical and organizational measures to identify areas for improvement in your systems.
- Step 7: Take necessary measures to protect your data’s confidentiality, integrity, and availability.
- Step 8: Implement measures to restore your access to personal data in case of any disruption.
- Step 9: Implement measures, where possible, that adhere to an approved certification mechanism or code of conduct.
- Step 10: Ensure the data processor implements appropriate technical and organizational measures.