What You Need to Know about GDPR Article 32

by GDPR Associates | 7th June 2019 6:34 pm

My last blog (GDPR compliance for cybersecurity professionals[1]) was dedicated to all the IT security professionals out there who drew the short straw and are now the proud owner of their company’s GDPR compliance[2] program (even though the EU’s General Data Protection Regulation isn’t all about cybersecurity). In that last blog, I stated that the sections of the GDPR that fall within scope of most IT security professionals revolve around Article 32 in one way or another—and I also said I would go into more detail on Article 32, so here you go.

Many people I talk to seem to be confused about Article 32 of the GDPR, they are looking for clear instructions and—ideally—a way to assess their work. Some seem to get hung up on the phrase “state of the art,” certain that they are doomed because they have to go buy some new “next-gen-artificially-intelligent-learning-machine” that they can’t afford to buy, let alone have the required staffing.

I asked Tom Cornelius, founder and lead contributor to SecureControlsFramework.com[3]—a non-profit group of volunteer specialists that provides free cybersecurity and privacy control guidance for organizations about Article 32 of the GDPR. He explained, “I interpret ‘state of the art’ as ‘leading practices,’ and in terms of cybersecurity that means one of the common cybersecurity frameworks that dictate what right looks like. Auditors do not have a ‘state of the art’ audit manual – they audit against PCI Compliance[4], SOC 2, ISO 27001, HIPAA, etc.” 

What does GDPR ‘Article 32 – Security of Processing’ mean?

My eyes glazed over the first time I read Article 32. My only first interpretation was simply “do security,” which all security compliance[5] obviously try to accomplish (duh!). So, I read it—and all the other security related articles—over and over and nothing more prescriptive magically appeared.

I think Article 32 makes more sense if you read the introductory paragraph backwards and clean up some of the vague legalese language. For example:     

Official text (ahem…hear ye, hear ye) “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.”

(What, what?)

Official text backwards (with some light touch ups) When appropriate, risks should be addressed with security controls, starting with policies and processes for employees, to make use of technical security controls, so everyone in the organization can protect the rights and freedoms of their employees, partners and individuals, while considering the total costs and effectiveness of implementing relevant processes and controls used by peers, other industries and other compliance standards.

Here is the official text one more time, deconstructed and annotated with my backwards version.

Taking into account the state of the art, (relevant processes and controls used by peers, other industries and other compliance standards)

the costs of implementation and the nature, scope, context and purposes of processing as well as (while considering the total costs and effectiveness of implementing)

the risk of varying likelihood and severity for the rights and freedoms of natural persons, (can protect the rights and freedoms of their employees, partners and individuals)

the controller and the processor shall (so everyone in the organization)

implement appropriate technical and (to make use of technical security controls)

organisational measures (starting with policies and processes for employees)

to ensure a level of security appropriate to the risk, (risks should be addressed with security controls)

including inter alia as appropriate (when appropriate)

Okay, enough “fun with GDPR words.” Now what, right? Okay, here is a list with a few steps to take using this approach (everyone loves lists right? I know our SEO manager does!)

This article was originally posted here: https://blog.alertlogic.com/blog/what-you-need-to-know-about-gdpr-article-32/?_bt=350670592258&_bk=&_bm=b&_bn=g&gclid=CjwKCAjw8qjnBRA-EiwAaNvhwLaqgaQazEomdqE3xn6Ejsxvu3c8LGYNiBnTjIb-sfNAR65Y6HCaABoCLYAQAvD_BwE[7]

Endnotes:
  1. GDPR compliance for cybersecurity professionals: https://blog.alertlogic.com/blog/what-gdpr-compliance-means-to-the-it-security-professional/
  2. GDPR compliance: https://www.alertlogic.com/solutions/compliance/gdpr-compliance/
  3. SecureControlsFramework.com: https://www.securecontrolsframework.com/about
  4. PCI Compliance: https://www.alertlogic.com/solutions/compliance/pci-compliance/
  5. security compliance: https://www.alertlogic.com/solutions/security-compliance/
  6. 12 step guide from the ICO: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
  7. https://blog.alertlogic.com/blog/what-you-need-to-know-about-gdpr-article-32/?_bt=350670592258&_bk=&_bm=b&_bn=g&gclid=CjwKCAjw8qjnBRA-EiwAaNvhwLaqgaQazEomdqE3xn6Ejsxvu3c8LGYNiBnTjIb-sfNAR65Y6HCaABoCLYAQAvD_BwE: https://blog.alertlogic.com/blog/what-you-need-to-know-about-gdpr-article-32/?_bt=350670592258&_bk=&_bm=b&_bn=g&gclid=CjwKCAjw8qjnBRA-EiwAaNvhwLaqgaQazEomdqE3xn6Ejsxvu3c8LGYNiBnTjIb-sfNAR65Y6HCaABoCLYAQAvD_BwE

Source URL: https://www.gdpr.associates/what-you-need-to-know-about-gdpr-article-32/