Security of processing - Art. 32 GDPR

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […]

. 

Technical and organisational measures

Technical and organisational measures (TOM) are all measures that ensure the security of the processed data. These can be, for example:

• Pseudonymisation and encryption of data
  
• Ensuring the confidentiality, availability and resilience of the systems used for data processing, e.g. role and authorisation concept, backup solutions, technical updates
• Physical access protection through lockable storage solutions or lockable premises

The GDPR states that these measures shall be taken taking into account the state of the art, the costs of implementation and the nature, scope and purposes of the processing. The likelihood and severity of the risks associated with the processing should also be taken into account.

Source: Jan on Pixabay

Here too, the GDPR remains quite vague, but this also opens up room for manoeuvre in terms of design. The GDPR refers elsewhere to "reasonable efforts". The main point here is that the controller must consider the risk of processing personal data and implement appropriate measures. Those who process sensitive data must also implement correspondingly extensive measures to protect this data. 

See also: 

• Para. 25 GDPR - Data protection by design and by default
• Para. 32 GDPR - Security of processing