The General Data Protection Regulation (GDPR) is one of the strongest security and privacy frameworks in operation in the world. Of this regulation, Article 32 stands out among its numerous guidelines as it deals explicitly with the “security of processing” of personal data.

This piece aims to demystify GDPR Article 32, breaking down its requirements and their implications for businesses of all sizes. Whether you’re a business owner, a data protection officer, or a GDPR enthusiast, this article will provide the insights you need to grasp and implement the crucial aspects of Article 32.

GDPR and Data Processing Security

Article 32 of the General Data Protection Regulation refers to the security of processing personal data–a critical part of the overall mission of the regulation to protect consumer data. Broadly, the article defines some of the responsibilities that compliance organizations must take on and execute to meet GDPR requirements. 

According to GDPR Article 32, the controller and the processor shall implement appropriate technical and organizational measures to ensure security appropriate to the risk. These measures include:

• The pseudonymization and encryption of PII.
• Ensuring the ongoing confidentiality, integrity, availability and resilience of a processing system.
• Restoring the availability and access to PII promptly in the event of an incident.
• Implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and security measures.

Organizations must take into account risk and context when assessing the appropriate levels of security to implement in line with these requirements. These risks should include accounting of the fallout from destruction or unauthorized disclosure of data. 

Additionally, controllers and processors must ensure that anyone processing data under their direction must do so only by instruction of those entities in accordance with the law. 

Pseudo-Anonymization and Encryption of Data

Pseudonymization is a de-identification process where personally identifiable information (PII) is replaced by one or more alternative identifiers to ensure that a person cannot be identified from a given record. The objective of pseudonymization is to render the data record less identifiable and, therefore, less sensitive.

Several different forms of pseudonymization include:

• Substitution: Replacing a data field with a pseudonymous identifier established and protected from outside knowledge. This can be as simple as replacing names with “Individual 1” or “Person 2.”
• Tokenization: Similar to substitution, but involves the generation of a token that represents the original data without an algorithmic relationship to the original. Tokens are stored securely with a mapping to the original data.
• Secret Key Encryption: An encryption key is used to encode data, and that same key is required to decode it. The key is stored securely and separately from the pseudonymized data.
• Data Masking: Some data is obscured to maintain anonymity, such as masking the first five digits of a social security number in online form-fills.
• Generalization: Data is modified to be less specific, such as changing a particular age to an age range.

Remember that pseudonymized data is still considered personal data under GDPR Article 32 as the data can be re-identified with additional information (e.g., the secret key). This contrasts with anonymization, where re-identification should not be possible.

Also, implementing pseudonymization requires careful planning and handling. It’s essential to ensure the security of the pseudonyms, as the re-identification of data can lead to privacy breaches.

Confidentiality, Integrity, Availability, and Resilience

Also known as the CIA triad, confidentiality, integrity, and availability are models designed to guide policies for information security within an organization. Here’s what each component means:

• Confidentiality is about maintaining the privacy of PII within an IT system. In the context of data systems, this could involve measures such as access controls, encryption, and privacy policies to ensure that only authorized individuals can access the data.
• Integrity involves ensuring the correctness and trustworthiness of data over its entire life cycle. Data must not be altered in transit, and steps must be taken to ensure that data cannot be modified by unauthorized people (for example, in a breach of confidentiality). These measures might include checksums, hashing, or digital signatures verifying data integrity.
• Availability ensures that information is accessible and usable upon demand by an authorized party. Systems should be reliable and robust, maintained with regular updates, upgrades, and testing.

Additionally, there is the concept of “resilience.” Resilience is the ability of a system to essentially “bounce back” during times of stress or disaster. These times can include cyberattacks, natural disasters, or heavy use periods. 

Organizations often have to implement a combination of policy, technology, and training to ensure the CIA triad in a data system. It’s important to note that this is a fundamental concept in IT security and an essential requirement in many compliance guidelines, including but not limited to GDPR, HIPAA, PCI-DSS, etc.

Restoration and Recovery

Maintaining sufficient IT recovery capabilities under GDPR Article 32 is crucial for an organization to respond to and recover from events that could disrupt its IT systems, such as hardware failures, software bugs, cyber-attacks, or natural disasters. Here are several strategies an organization can employ to ensure effective IT recovery capabilities:

• Disaster Recovery Plan (DRP): Develop a comprehensive disaster recovery plan that outlines the steps to be taken during a disaster. This plan should detail the procedures for restoring IT systems, data, and infrastructure and assign roles and responsibilities for carrying out these procedures.
• Backup Systems: Regularly back up critical data and systems. Backup frequency depends on the specific needs of the business–some businesses require daily or real-time backups, while others are fine with weekly backups. Backups should be stored in the cloud or in offsite servers to protect against physical damage to the business’s location.
• Redundancy: Implement redundant systems and components that can take over in a failure. This can include redundant servers, storage systems, network paths, power supply, and even redundant sites (like hot, warm, or cold).
• Vendor Support: Ensure support contracts and service level agreements (SLAs) with vendors include provisions for disaster recovery support, including how quickly they can respond and what resources they can provide.
• Employee Training: Ensure employees are trained on the steps they need to take in the event of a disaster.

Remember that a good disaster recovery strategy involves technology, people, and processes. It’s a continuous process that needs regular review and updating to remain effective as the organization and its environment evolve.

Testing

Regular testing is a key component of an effective IT security strategy under GDPR Article 32. It helps you uncover vulnerabilities and weaknesses before attackers do. Here are some of the best practices for regularly testing enterprise IT systems for security:

• Vulnerability Scanning: Regularly perform automated vulnerability scans on your systems. This can help you find known vulnerabilities in your system due to outdated software or misconfigurations.
• Penetration Testing: This involves simulating a cyber attack on your systems to identify vulnerabilities. It’s typically done by an external party specializing in cybersecurity. The process involves exploiting vulnerabilities to see how far an attacker might get, helping you understand the potential impact of an attack.
• Security Audits: Conduct regular security audits to evaluate your organization’s adherence to security standards and policies. This might involve reviewing system configurations, examining user access controls, or checking for proper encryption usage.
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Use IDS/IPS systems to monitor your network traffic and system activities for malicious activities or policy violations.
• Red Team Exercises: In a red team exercise, a group of white-hat hackers actively try to defeat your security measures and gain access to your system, as a real-world attacker would. This is similar to penetration testing but is often more extensive and can include social engineering attempts.
• Regular Patching and Updates: Regularly updating and patching your systems helps to secure known vulnerabilities. Regularly test to ensure patches are applied correctly and consistently across all systems.
• Incident Response Drills: Regularly test your incident response plan to ensure it works effectively, and everyone knows their role during a security incident.
• Compliance Checks: If you’re subject to regulations like GDPR, HIPAA, or PCI DSS, regularly check to ensure you comply with these standards.
• Security Awareness Training: This isn’t a test, but it’s an important part of a secure IT environment. Regularly train staff about security best practices and the latest types of threats.

Remember, these tests aim to improve your organization’s security posture continually. After conducting these tests, it’s essential to analyze the results, remediate detected issues, and adjust your security policies and controls. Working with a reputable cybersecurity firm for these tests is beneficial, as they can provide the required expertise and an outside perspective.

Are Your Processing Controls Up to GDPR? Ensure They Are with Continuum GRC.

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

• FedRAMP
• StateRAMP
• GDPR
• NIST 800-53
• FARS NIST 800-171
• CMMC
• SOC 1, SOC 2
• HIPAA
• PCI DSS 4.0
• IRS 1075
• COSO SOX
• ISO 27000 Series
• ISO 9000 Series
  

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.