GDPR & IT Security: Technical Measures under Art. 32

Regulation & Compliance

The GDPR is not purely a data protection topic - it imposes concrete requirements on your IT security. Art. 32 obliges organisations to implement demonstrable technical and organisational measures (TOMs). Ignoring this exposes you to fines of up to EUR 20 million or 4% of global annual turnover.

Book a free GDPR consultation Security consulting

Last updated: March 2026 Reviewed by certified experts

Entry into force

25 May 2018

Directly applicable across the EU

Territorial scope

EU + beyond

Applies to non-EU organisations targeting EU residents

Supervisory authorities

27+

One per EU member state (lead authority for cross-border cases)

Total EU fines

> EUR 4.5B

Issued since 2018 (enforcement tracker)

Maximum fine: EUR 20M; Maximum fine
Technical measures: Art. 32; Technical measures
Breach notification: 72h; Breach notification
of global annual turnover: 4%; of global annual turnover

Fundamentals

The General Data Protection Regulation (Regulation EU 2016/679) has applied directly in all EU member states since 25 May 2018. It protects the fundamental rights of natural persons in the processing of their personal data. What many organisations underestimate: the GDPR contains concrete security requirements that go far beyond a privacy policy on a website.

Data breaches arise almost exclusively from IT vulnerabilities: unprotected databases, missing encryption, inadequate access management, successful phishing attacks or unpatched weaknesses. The GDPR holds the controller liable for these vulnerabilities - with significant fine exposure.

Crucially, the GDPR does not prescribe specific technologies but requires a risk-based approach. The measures implemented must be appropriate to the risk to the individuals concerned - meaning organisations must know and systematically mitigate the risks of their processing activities.

Art. 5

Principles of processing

Integrity and confidentiality as an explicit data protection principle - technical security is not an annex but a foundation.

Art. 25

Privacy by Design and Default

Data protection must be built into systems from the outset, not bolted on after the fact.

Art. 32

Technical and organisational measures

Concrete obligation to implement encryption, pseudonymisation, resilience and regular review of security measures.

Art. 33/34

Data breach notification

72-hour deadline for notifying the supervisory authority; notification of affected individuals may also be required.

Art. 35

Data Protection Impact Assessment

Risk analysis before deploying high-risk processing activities - comparable to a security risk assessment methodology.

Art. 32 GDPR

Technical and Organisational Measures (TOMs): What your organisation must implement

Art. 32 GDPR specifies four explicit technical measures and additionally requires a risk-based approach. The following areas are directly relevant for every organisation that processes personal data.

Encryption

Personal data must be encrypted at rest (databases, backups) and in transit (TLS 1.2+, HTTPS). AES-256 for stored data, proper certificate management, no weak cipher suites.

Art. 32(1)(a)

Pseudonymisation

Separation of identifying attributes and content data by technical measures. Re-identification only possible with a separately and securely stored key. Reduces fine exposure in the event of a data breach.

Art. 32(1)(a)

Resilience of systems

Ongoing assurance of confidentiality, integrity and availability. Redundancy concepts, DDoS protection, high-availability architectures. No single points of failure for critical systems.

Art. 32(1)(b)

Recoverability

Ability to restore availability and access to personal data in a timely manner following an incident. Tested backup concepts (3-2-1 rule), documented recovery procedures, regular restore tests.

Art. 32(1)(c)

Regular testing

A process for regularly testing, assessing and evaluating the effectiveness of the TOMs. Penetration tests, vulnerability scans, internal audits and risk reviews are recognised methods.

Art. 32(1)(d)

Access & authorisation control

Role-based access control (RBAC), multi-factor authentication for sensitive systems, regular access reviews, secure password management and comprehensive access logging.

Extended: Art. 5 + Art. 32

Art. 35 GDPR

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) under Art. 35 GDPR is a structured risk analysis that must be carried out before certain processing activities are commenced. It is methodologically comparable to an IT security risk assessment - and therefore benefits significantly from security expertise.

Each EU supervisory authority publishes a list of processing types that always require a DPIA - including systematic profiling, biometric processing and the use of new technologies involving health data. Beyond these lists, the obligation applies whenever processing is likely to result in a high risk to individuals.

A DPIA must at minimum contain: a systematic description of the processing, an assessment of the necessity and proportionality, an assessment of risks to data subjects, and the measures envisaged to address the risks. An inadequate or missing DPIA is itself subject to fines.

When is a DPIA mandatory?

Systematic and extensive evaluation of personal aspects by automated processing, including profiling with significant effects on individuals
Large-scale processing of special categories of data (Art. 9 GDPR: health, religion, ethnicity, political opinions, biometric data)
Systematic large-scale monitoring of publicly accessible areas (e.g. video surveillance)
Use of new technologies with insufficiently known risk profiles (AI, IoT, behavioural analytics)
Processing data of vulnerable individuals (children, employees under employer surveillance)
Matching or combining datasets from different sources
Processing biometric or genetic data for unique identification

Source: Art. 35(4) GDPR requires each supervisory authority to establish and publish a list of processing operations subject to the DPIA requirement. See your national supervisory authority's published list for jurisdiction-specific guidance.

Art. 33 & 34 GDPR

Data breach notification obligations

When a personal data breach occurs, the 72-hour clock starts from the moment of discovery. Without prepared incident response processes, meeting this deadline is nearly impossible.

0-72 hours

Notify supervisory authority

Nature and extent of the breach
Categories of personal data affected
Approximate number of individuals affected
Contact details of the DPO
Likely consequences of the breach
Measures taken or proposed to address it

Art. 33 GDPR - Report to your lead supervisory authority (or local authority for domestic breaches)

Without undue delay

Notify affected individuals

Only where high risk to individuals exists
In clear and plain language
Description of the nature of the breach
Contact details of the DPO
Likely consequences
Recommendations for individuals to mitigate risk

Art. 34 GDPR - Exception applies where affected data was effectively encrypted

Ongoing

Internal documentation

Full documentation of all breaches
Record even non-notifiable incidents
Root cause analysis and remediation measures
Basis for decision on notification obligation
Evidence for supervisory authorities
Retain for at least 3 years

Art. 33(5) GDPR - Accountability principle under Art. 5(2)

Enforcement

GDPR fines and enforcement cases

EU supervisory authorities have imposed significant fines since 2018. These cases illustrate which technical deficiencies most commonly lead to sanctions.

BlnBDI Berlin (DE) · 2019

Deutsche Wohnen SE

EUR 14.5M

Archiving system without the ability to delete tenant data that was no longer necessary. Personal data was retained beyond its required retention period, with no technical mechanism for deletion.

Legal basis: Art. 5, 25 GDPR

LfD Lower Saxony (DE) · 2021

Notebooksbilliger.de

EUR 10.4M

Video surveillance of employees without adequate legal basis - for over six years. Absence of purpose limitation and proportionality. A case study in unlawful systematic monitoring of workers.

Legal basis: Art. 5, 6, 13 GDPR

BfDI (DE) · 2019/21

1&1 Telecom GmbH

EUR 9.55M

Inadequate authentication in the call centre: customers' data could be accessed simply by providing a name and date of birth - without sufficient identity verification. Direct Art. 32 violation.

Legal basis: Art. 32 GDPR

LDI NRW (DE) · 2023

Bochum retailer

EUR 525K

Unencrypted storage of customer data on a server with insufficient access controls. Data breach caused by misconfiguration, with delayed notification to the supervisory authority.

Legal basis: Art. 32, 33 GDPR

Note: The GDPR Enforcement Tracker by noyb documents over 2,400 fine decisions across the EU with a combined value of more than EUR 4.5 billion (as of 2025). The largest single fine was EUR 1.2 billion imposed on Meta by the Irish DPC in 2023. Source: enforcementtracker.com.

AWARE7 Services

GDPR compliance requires technical know-how, not just legal knowledge. Our cybersecurity specialists address exactly the technical requirements that Art. 32 GDPR prescribes.

Penetration Testing

Regular penetration tests directly fulfil the Art. 32(1)(d) obligation to test the effectiveness of TOMs. We uncover vulnerabilities before they lead to notifiable data breaches.

Request a pentest

ISMS / ISO 27001

An ISO-27001-conformant information security management system systematically addresses all key Art. 32 requirements and provides documented evidence of TOMs for supervisory authorities.

ISO 27001 consulting

Vulnerability Scanning

Automated, regular vulnerability scans complement manual penetration tests and ensure continuous monitoring of IT systems at manageable cost.

Learn about scans

Security Awareness Training

Over 90% of data breaches start with human error. Our training programmes and phishing simulations demonstrably reduce risk and strengthen TOMs in the area of staff awareness.

View training programmes

Privacy by Design Consulting

We support the technical implementation of Privacy by Design and Default, secure architecture design and the selection of appropriate cryptographic controls.

Request consulting

SME Security Analysis

For organisations without a dedicated security team: a structured assessment of your GDPR security posture with a concrete action plan, clearly prioritised by risk exposure.

Request analysis

Why AWARE7 for GDPR compliance

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

„Art. 32 GDPR is systematically underestimated by many organisations. It does not prescribe specific technologies - but it does require demonstrable, risk-based security measures. Ignoring this creates not just legal liability, but genuine responsibility towards the individuals whose data you process.“

Jan Hornemann

Researcher in Privacy and GDPR · AWARE7 GmbH

Answers to the most common questions about GDPR compliance and technical security measures.

What does Art. 32 GDPR require from organisations?

Article 32 GDPR obliges controllers and processors to implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk. The article explicitly mentions: pseudonymisation and encryption of personal data, the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to restore availability and access in a timely manner following an incident, and a process for regularly testing, assessing and evaluating the effectiveness of measures. The article does not prescribe specific technologies - the level of security must be commensurate with the risks to the data subjects.

What is a Data Protection Impact Assessment (DPIA) and when is it mandatory?

A Data Protection Impact Assessment (DPIA) under Art. 35 GDPR is a systematic risk analysis for processing activities that are likely to result in a high risk to the rights and freedoms of natural persons. It is mandatory for: systematic and extensive profiling with significant effects, large-scale processing of special category data (Art. 9), and systematic monitoring of publicly accessible areas. Each EU supervisory authority publishes a list of processing operations that always require a DPIA. A DPIA must at minimum describe the processing, assess necessity and proportionality, assess risks to data subjects, and document the measures envisaged to address those risks.

What fines can be imposed for GDPR violations?

The GDPR provides two fine tiers: For less severe infringements (e.g. failure to implement adequate technical measures under Art. 32) up to EUR 10 million or 2% of global annual turnover, whichever is higher. For severe infringements (e.g. violations of basic principles, unlawful processing) up to EUR 20 million or 4% of global annual turnover, whichever is higher. Notable fines in Europe include: Meta/Facebook (EUR 1.2 billion, 2023), Amazon (EUR 746 million, 2021), WhatsApp (EUR 225 million, 2021), and Deutsche Wohnen SE (EUR 14.5 million, Germany, 2019). Supervisory authorities across the EU are increasingly active.

What must be done within 72 hours in the event of a data breach?

In the event of a personal data breach, Art. 33 GDPR requires notification to the competent supervisory authority within 72 hours of becoming aware of the breach. The notification must contain: the nature of the breach, the categories and approximate number of data subjects and records concerned, contact details of the data protection officer, the likely consequences, and the measures taken or proposed to address the breach. Where the breach is likely to result in a high risk to individuals, those individuals must also be notified without undue delay under Art. 34. A documented incident response procedure is therefore essential - a 72-hour deadline requires complete processes from the moment of discovery.

Do we need to appoint a Data Protection Officer (DPO)?

The obligation to designate a DPO under Art. 37 GDPR applies where: the core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or the core activities consist of processing on a large scale of special categories of data. EU member states may introduce additional requirements - Germany for example mandates a DPO for any organisation where at least 20 employees are regularly involved in automated data processing. The DPO can be an employee or an external service provider. AWARE7 provides qualified external DPO services.

What is Privacy by Design and what does it require technically?

Privacy by Design (Art. 25 GDPR) requires that data protection principles be implemented at the time of the design of processing activities and IT systems - not as an afterthought. Concretely: data minimisation from the start, privacy-friendly default settings, pseudonymisation as a core principle, granular access controls from the first code commit. Privacy by Default (Art. 25(2)) adds: only personal data necessary for each specific purpose should be processed by default. Technical implementation means: strong authentication, encryption at rest and in transit, comprehensive logging, and secure deletion concepts.

How does GDPR relate to information security (ISO 27001)?

GDPR and ISO 27001 are complementary: GDPR defines the protection objective (personal data), while ISO 27001 provides the methodological framework (ISMS) for systematically achieving that objective. An ISO-27001-certified organisation has already structurally addressed many Art. 32 requirements - risk assessment, access control, cryptography, business continuity, security in development. Conversely, GDPR compliance alone does not satisfy ISO 27001, since the standard is considerably broader and covers all information assets (not just personal data). We recommend an integrated approach that addresses both sets of requirements together.

Is penetration testing relevant for GDPR compliance?

Yes, directly. Art. 32(1)(d) GDPR explicitly requires 'a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures'. Regular penetration tests and vulnerability scans are a recognised means of meeting this obligation. Pentests also uncover technical weaknesses that could lead to a notifiable data breach - a successful attack exploiting a known, unpatched vulnerability can increase the controller's liability. Courts and supervisory authorities increasingly treat the absence of security testing as negligence.

Aus dem Blog

Alle Artikel

Compliance & Standards

Book a free GDPR security consultation

We assess your technical measures against Art. 32 GDPR and show you where action is required - specific, prioritised and with a fixed-price proposal.

Book a free consultation

Kostenlos · 30 Minuten · Unverbindlich