GDPR Article 32 often leaves people grappling with confusion, searching for straightforward guidance and practical ways to evaluate their compliance efforts. The term “state of the art” trips up many, creating a sense of doom as they assume it demands expensive, cutting-edge technologies — like a “next-gen AI-powered learning machine” — that are not only out of budget but also beyond their staffing capacity.
We spoke to Tom Cornelius, founder and lead contributor to SecureControlsFramework.com—a nonprofit group of volunteer specialists that provides free cybersecurity and privacy control guidance for organizations about Article 32 of the GDPR. He explained, “I interpret ‘state of the art’ as ‘leading practices,’ and in terms of cybersecurity that means one of the common cybersecurity frameworks that dictate what right looks like. Auditors do not have a ‘state of the art’ audit manual – they audit against PCI Compliance, SOC 2, ISO 27001, HIPAA, etc.”
Related: What Is GDPR Compliance?
What Does GDPR Article 32 “Security of Processing” Mean?
Article 32 makes more sense if you read the introductory paragraph backwards and clean up some of the vague legalese language. For example: Official text, “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.”
(What, what?)
Official text backwards (with some light touch ups) When appropriate, risks should be addressed with security controls, starting with policies and processes for employees, to make use of technical security controls, so everyone in the organization can protect the rights and freedoms of their employees, partners, and individuals, while considering the total costs and effectiveness of implementing relevant processes and controls used by peers, other industries and other compliance standards.
Here is the official text one more time, deconstructed and annotated with my backwards version.
- Taking into account the state of the art, (relevant processes and controls used by peers, other industries and other compliance standards)
- the costs of implementation and the nature, scope, context, and purposes of processing as well as (while considering the total costs and effectiveness of implementing)
- the risk of varying likelihood and severity for the rights and freedoms of natural persons, (can protect the rights and freedoms of their employees, partners, and individuals)
- the controller and the processor shall (so everyone in the organization)
- implement appropriate technical and (to make use of technical security controls)
- organizational measures (starting with policies and processes for employees)
- to ensure a level of security appropriate to the risk, (risks should be addressed with security controls)
- including inter alia as appropriate (when appropriate)
4 Steps to Achieving Article 32
Step 1
Determine if doing all of this is appropriate. Do you have, or process personal data that belongs to European Union people? (if yes, go to Step 2)
Step 2
Don’t hit send on that ‘Buy Now’ button quite yet, no need to go buy “GDPR software solutions” before you assess your needs and take inventory of your existing tools.
Step 3
Find out where all the protected data is stored, how it is processed, how it moves, and where it goes. This can be a challenging exercise without assistance and cooperation. Go for best efforts here. Document as much as possible and go to the next step (data auditing is never really complete).
Step 4
Determine how much risk there is to that data. Not just breaches, but any risk that would also impact access to or integrity of that data (which is also considered a “breach” in eyes of the GDPR).
