Jun 2026
Blog Home

GDPR and Cyber Security: How Data Protection Works in Practice

Woman using a tablet with a holographic security lock and shield, representing data protection and cybersecurity

Article 32 EU/UK GDPR: Security of processing explained

Article 32 requires organizations to implement “appropriate technical and organizational measures” to ensure a level of security appropriate to the risk, taking account of the sensitivity of the data, operational scope, and the potential impact of a breach on individuals.

These are risk-based requirements, not a fixed compliance checklist. For example, a global healthcare provider handling sensitive patient records will be expected to maintain stronger controls than a small organization processing basic contact information, reflecting both the nature of the data and the potential consequences of a breach.

What “appropriate technical and organizational measures” means

In practice, “appropriate” measures include encryption, multi-factor authentication, access management, backup and recovery, vulnerability management, security monitoring, incident response, resilience planning, and staff awareness training implemented in line with risk.

This reflects GDPR’s shift toward continuous accountability, requiring proof that measures are effective, proportionate, and consistently applied. Organizations are expected to carry out risk assessments, document decisions, and regularly review controls to align with evolving threats and expectations.

Confidentiality, integrity, and availability

GDPR security obligations are built around confidentiality, integrity, and availability.

Confidentiality limits access to authorized users via controls such as multi-factor authentication, role-based access controls, encryption, and network segmentation with least-privilege configuration.

Integrity protects against unauthorized alteration through audit logging, changing management, and file integrity monitoring, while availability requires resilient infrastructure, backups, and disaster recovery planning and processes.

Ransomware or other events that make data unavailable may be reportable depending on the assessed risk to individuals and applicable criteria.

Encryption, pseudonymization, and layered security

Encryption should be considered and implemented proportionately to risk. Encryption is referenced in Article 32 because it can reduce the risk of unauthorized access and should be applied to data in transit, and data at rest across endpoints, servers, backups, and cloud, including the possible use of hardware encrypted storage devices where appropriate.

This is particularly important for remote work and hybrid-cloud operations. However, encryption alone is not enough and must be part of; a layered security model, alongside strong access management, monitoring, incident response, staff training, and ongoing testing.

Pseudonymization can reduce risk by separating identifying information from datasets with appropriate safeguards. Regulatory guidance and recent enforcement trends emphasize that pseudonymization is a valuable safeguard but does not take data outside the scope of GDPR where re-identification remains possible.

Organizations are increasingly expected to assess how effective pseudonymization is in practice, including who holds additional information and controls to prevent re-identification. Pseudonymization is also relevant as a supplementary safeguard for international data transfers.

International transfers after Schrems II

International data transfers remain a key focus area. After the Schrems II judgment, organizations cannot rely on transfer tools such as contractual clauses alone. They should document transfer risk assessments and, where needed, add supplementary measures such as encryption, segregation of keys, and robust pseudonymization.

Regulators increasingly expect organizations to assess risks to individuals’ rights and freedoms and to document their decisions. In practice, organizations should use appropriate mechanisms, including adequacy decisions, the European Commission’s 2021 Standard Contractual Clauses (SCCs), and, for certified recipients, the EU–US Data Privacy Framework (DPF), with pseudonymization recognized as an important safeguard where properly implemented.

Testing, monitoring, and continuous evaluation

Organizations should regularly test and evaluate their security controls through vulnerability scanning, penetration testing, continuous monitoring, security audits, incident response exercises, and backup restoration testing; to verify ongoing effectiveness. Monitoring and visibility are essential for early detection, limiting disruption, and meeting breach notification duties.

Many organizations now align their GDPR programs with recognized frameworks such as ISO/IEC 27001, ISO/IEC 27701, the NIST Cybersecurity Framework, or Cyber Essentials tailored to their risk profile.

How GDPR affects cyber security strategies

A GDPR-aligned strategy centers on accountability, risk assessment and third-party oversight. Organizations should be able to demonstrate compliance with documented risk assessments, records of processing, incident response procedures, and supplier oversight, with clear evidence of decision-making and reviews.

This includes recording breach decisions (including whether an incident is reportable), assessing impact on individuals, and showing that key controls (such as encryption, monitoring and access management) are effective. In practice, this means that security investment should reflect threats, vulnerabilities, and data sensitivity.

Third-party risk management is critical because controllers remain responsible for processors, requiring due diligence before engaging processors, contractual oversight, and ongoing monitoring.

Was this helpful?

Need Help?

Related Articles