The Articles: No. 32 – Security of processing

GDPR is not just about security, is it…?

In a series of posts over the coming weeks GDPR Auditing will take a look at some of the more significant articles of the GDPR.

In this post, the first from our “The Articles” series, we look at Article 32 – Security of Processing, that on the face of it may look simple but dig a little deeper and the impact to your business could be significant.

Unlike PCI-DSS that has a very detailed list of Security requirements, the GDPR covers all of Security under Article 32 and only at a very high-level. This is not surprising as the GDPR is not designed to be prescriptive about how to get your security right , but is about the rights of EU citizens with respect to their personal data and the security of their data is just one aspect of that.

Ensuring security of Personal Identifiable Information (PII) that you hold on your IT systems is vital, not least because of the considerable penalties that could be levied under the new regulation.

As a business you should know what PII data you hold, undertaking a Data Asset Inventory if necessary and as a minimum you should ensure:

  • User access to PII Data is properly controlled and monitored.
  • Staff are properly trained on how to handle PII Data, individuals are often the weakest link.
  • Any Processors you use are GDPR compliant and their compliance is enforced contractually.
  • When transmitting PII Data around your organisation and to external parties it is done in a secure manner.
  • PII Data is protected at rest including when stored on disk, in the Cloud or on any other media.
  • PII data is backed-up and the back-up process is regularly tested to prevent data loss.
  • Your IT systems are protected by firewalls that are properly configured and up to date.
  • You have data loss prevention policies and procedures in place to ensure PII data does not leak out of your organisation.
  • You have intrusion detection and prevision systems in place.
  • You have anti-virus, anti-malware and anti-spyware systems in place.
  • Portable devices such laptops are properly protected by the use of encryption.
  • When decommissioning IT systems PII data is whipped and unrecoverable.
  • Physical Security of your IT equipment is adequate.

Whilst there is currently no certification system in place the regulation clearly indicates this is coming: “Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42”. Getting your security right at this stage will not only meet your obligations under GDPR it will also put you in a good position to complete certification when it becomes available.

We expect certification to come with some form of seal of approval, which will give your customer’s peace of mind when using your services.

In our next post, we take a look at Article 37, Designation of the Data Protection Officer (DPO), and what this could mean for your business.

If you would like to know more about how GDPR Auditing can help your organisation with GDPR or have any suggestions of future posts for this series please email us at

© GDPR Auditing 2017
The information provided in this post is for general information only and is not intended to provide legal advice.