Processing Security

Processing security covers the technical and organisational measures you must implement to protect personal data against unauthorised access, loss and destruction. GDPR Article 32 requires a level of security appropriate to the risk.

Back to Dictionary

What is processing security?

Processing security is the complete set of security measures that protect personal data during processing. It is about ensuring that data is not accessed by unauthorised parties, is not lost, is not altered unintentionally and is not destroyed.

GDPR Article 32 requires that both data controllers and data processors implement appropriate measures. What is "appropriate" depends on a specific risk assessment, where you take into account the current technology, implementation costs, the nature of the processing and the potential consequence for data subjects.

Processing security is not a one-off task. You must continuously evaluate and update your measures as the threat landscape and your organisation change.

Requirements in GDPR Article 32

Article 32 mentions four specific measures that may form part of processing security:

Pseudonymisation and encryption of personal data
Confidentiality, integrity, availability and resilience in processing systems
Timely restoration of access to personal data following a physical or technical incident
Regular testing and evaluation of the effectiveness of security measures

The list is not exhaustive. You must assess what is necessary based on your specific situation. If you process sensitive personal data on a large scale, the requirements are higher than for simple contact registration.

Inadequate processing security can lead to fines and orders from the Danish Data Protection Agency.

Technical and organisational measures

The technical and organisational measures (TOMs) are at the core of processing security. They are typically divided into two categories:

Technical measures include:

Encryption of data in transit and at rest
Access control with role-based permissions
Logging of access to and changes in systems
Firewalls, antivirus software and security updates
Backup and disaster recovery

Organisational measures include:

Security policies and guidelines
Training and awareness programmes for staff
Procedures for handling data breaches
Requirements for suppliers via data processing agreements
Regular audits and controls

Risk assessment in practice

The starting point for processing security is always a risk assessment. You must assess the likelihood of and consequence of security incidents for data subjects.

Start by mapping your processing activities in your record of processing activities. For each activity, assess:

What types of personal data are processed (ordinary vs. sensitive)?
How many data subjects are affected?
What are the potential consequences of a breach?
What threats are realistic (hacking, human error, system failure)?

Where there is high risk, a data protection impact assessment (DPIA) may be required. Your DPO can help assess when this is necessary.

Document your risk assessment and the chosen measures. This is essential for demonstrating compliance during supervisory inspections.

Frequently Asked Questions about Processing Security

What does GDPR Article 32 require regarding processing security?

Article 32 requires that data controllers and data processors implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This includes pseudonymisation, encryption, the ability to ensure confidentiality, integrity and availability, and regular testing of security measures.

Who is responsible for processing security?

Both the data controller and the data processor have an independent responsibility for processing security. The data controller must ensure that the data processor provides sufficient guarantees for appropriate security measures, and this must be set out in the data processing agreement.

What are appropriate security measures?

There is no fixed list. You must assess the appropriate level based on current technological developments, implementation costs, the nature, scope and purpose of the processing, and the risk to data subjects' rights. The more sensitive the data, the stronger the measures required.

Must you document your processing security?

Yes. You must be able to document that you have assessed the risk and implemented appropriate measures. The documentation should be included in your record of processing activities and may be requested during inspections by the Data Protection Agency.