Art. 32 GDPR obligates the controller and processor to implement appropriate technical and organizational measures to ensure an appropriate level of data security. Further, Art. 28 GDPR explicitly states that the controllers must use the services only of processors that provide “sufficient guarantees to implement appropriate technical and organizational measures“. Art. 32 GDPR brings a non-exhaustive list of such measures:
- the pseudonymization and encryption
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
The appropriate level of security should be assessed by taking into consideration the risks of processing, particularly from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. These measures must be in place throughout all of the processing activities.
The approved codes of conduct (Art. 40 GDPR) or approved certification mechanisms Art. 42 GDPR may be used as elements to demonstrate compliance with the obligation to implement appropriate technical and organizational measures. Implementation of these tools is not obligatory; however, they represent certain benefits to the controllers and processors (see Art. 40 and Art. 42 GDPR).