GDPR Article 32 isn't a recommendation: it sets four binding technical obligations on personal-data security. Here's what it requires — and how Securoo helps you demonstrate each one.
The General Data Protection Regulation (EU 2016/679, "GDPR") is the European law protecting the personal data of EU citizens. It has been in force since 25 May 2018 and applies to anyone — public or private, inside or outside the EU — who processes data of European residents.
For a professional firm (lawyer, accountant, notary, insurance broker, doctor, property manager) it means something very concrete: you are the "data controller" of your clients' data. It is your responsibility to safeguard them with appropriate technical measures. The supervisory authority holds you accountable in case of a breach — not your software vendor.
Solo practice or multinational, online or paper-based: if you process EU citizens' data, GDPR applies. No size-based exemptions.
You decide the purposes and the means of processing. You are the primary responsible party before the regulator: the technical vendor is your "external processor".
The accountability principle (Art. 5.2) requires you to demonstrate the measures adopted, not just claim them. Audit log, DPA, processing register.
Up to € 20M or 4% of global turnover. Hundreds of penalties actively imposed by European supervisory authorities every month.
GDPR — Article 32, paragraph 1 — requires appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In particular:
"Taking into account the state of the art, [...] the controller and the processor shall implement appropriate technical and organisational measures [...] including, as appropriate: [a] the pseudonymisation and encryption of personal data; [b] the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; [c] the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; [d] a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing." — GDPR, Art. 32, para. 1
Encrypt personal data to ensure confidentiality by default, and apply pseudonymisation where possible.
Ensure on a permanent basis the four properties of systems processing personal data.
Restore availability and access to personal data quickly in the event of a physical or technical incident.
A documented process for regularly testing, assessing and evaluating the effectiveness of the measures adopted.
Article 32, letter (a), explicitly cites the encryption of personal data as an example measure. It is the only technical measure named by name in the regulation. In practice: without encryption, demonstrating an "appropriate level of security to the risk" before a regulator is virtually impossible.
Every client document — contract, expert report, ID, medical record — must be encrypted. Locking it behind a cloud-drive password isn't enough: you need end-to-end encryption with keys the vendor doesn't hold.
Point by point. No vague claims: every measure has a verifiable technical reference.
AES-256 for content, RSA 4096-bit for keys. Keys never reach our servers.
Confidentiality, integrity, availability, resilience — each backed by a dedicated technical mechanism.
RPO < 1 hour · RTO < 4 hours · 30-day retention.
Documented periodic testing and review for every calendar year.
Non-compliance with Art. 32 isn't a bureaucratic formality: administrative sanctions are concrete, recent, and being applied across the EU. The European case law — including against small firms — is now well established.
Sanctions are public: the supervisory authority publishes the order online with the firm's name. The reputational impact is often more costly than the fine itself.
Five questions, three minutes. You'll receive a quick assessment of your exposure and a downloadable checklist ready to share with your DPO or legal counsel.
