GDPR Article 32 — Security of processing
Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
Appropriate security measures required including encryption, pseudonymization, resilience, backup/recovery, and regular security testing. "Appropriate" is risk-based.
The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational security measures.