GDPR Compliance: Meeting Article 32 Security Requirements

Article 32 requires 'appropriate technical and organisational measures' to protect personal data. This specifically includes pseudonymisation and encryption, the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, the ability to restore access after incidents, and — critically — a process for regularly testing, assessing, and evaluating the effectiveness of your security measures. Article 5(1)(f) adds the overarching integrity and confidentiality principle. The standard is risk-appropriate, not prescriptive, but regulators have been explicit: vulnerability scanning, multi-factor authentication, and patch management are named controls whose absence has directly triggered fines.

GDPR Article 83 defines two fine tiers. Failing to have adequate security measures in place (Article 32) or breaching the integrity and confidentiality principle (Article 5) falls under Tier 2 — up to €20 million or 4% of global annual turnover, whichever is higher. For a company with €10 million annual revenue, that means fines up to €400,000. For large multinationals, 4% of turnover can far exceed €20 million — Meta received a €1.2 billion fine in 2023 calculated on turnover. Cumulative GDPR fines reached €7.1 billion by early 2026, and regulators are becoming more specific in naming the exact security controls that were missing.

Attack surface management (ASM) directly addresses the security-of-processing requirements in GDPR Articles 25 and 32. By discovering your exposed assets and testing them for vulnerabilities on a weekly cadence, ASM gives you the 'regular testing and evaluation' process that Article 32(1)(d) explicitly requires. It also supports Article 25 data protection by design — you cannot apply security controls to systems you do not know exist. SeguriScan's weekly automated scanning reduces the dwell time of attackers on your network, supporting the 72-hour breach notification window under Article 33 by detecting incidents faster and producing the evidence trail needed for DPA reporting.

Article 32 of the GDPR is titled 'Security of processing' and is the regulation's core technical security requirement. It requires organisations to implement measures appropriate to the risk, taking into account the state of the art, costs, and the nature of the data being processed. The four specific measures listed are: pseudonymisation and encryption, ensuring confidentiality and resilience, restoring availability after incidents, and regular testing and evaluation. This is why GDPR is not just a privacy compliance exercise — it is a legally binding security mandate. Regulators are now naming specific absent controls like vulnerability scanning and MFA when issuing fines, making Article 32 a concrete technical obligation, not just a vague principle.

Yes. There is no SMB exemption from GDPR's security requirements. Article 32 applies to any organisation that processes personal data, regardless of size. The regulation does include a proportionality standard — measures must be 'appropriate to the risk' — which means a 10-person company is not expected to have the same security apparatus as a hospital. But basic technical controls, including vulnerability scanning, are expected of all businesses. The Apotheka case (Estonia, 2024) resulted in a €3 million fine for an SMB-scale loyalty programme that failed to implement basic cybersecurity measures. Regulators have shown they will pursue small organisations when failures are clear.

Meeting GDPR security requirements is not a one-time audit — it is an ongoing practice you must be able to evidence. Article 32(1)(d) requires a process for regular testing and evaluation, which means you need dated records showing you assessed your security posture, identified vulnerabilities, and took remediation action. SeguriScan generates timestamped scan reports with risk-scored findings and remediation status that serve as technical scanning evidence for this requirement. These reports are also the technical foundation for a Data Protection Impact Assessment (DPIA) under Article 35, and can demonstrate good-faith security measures to a supervisory authority in the event of an investigation or breach.