Article 32 of GDPR requires organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This deliberately vague language has led to significant confusion about what organisations actually need to have in place. This guide explains what the ICO and other European data protection authorities expect in practice.
What does “appropriate technical measures” mean?
The regulation does not prescribe specific technical controls — it requires that controls be proportionate to the risk involved. In practice, the ICO and European Data Protection Board have consistently found that organisations failing to implement basic security controls are in breach of Article 32, regardless of the scale or sensitivity of the breach.
Consistently expected technical measures include encryption of personal data at rest and in transit, access controls limiting who can access personal data, multi-factor authentication, vulnerability management, logging and monitoring, and the ability to detect and respond to breaches within 72 hours.
What does “appropriate organisational measures” mean?
- A documented information security policy that is actively maintained and communicated to staff
- Regular security awareness training for all staff handling personal data
- A documented data breach response procedure with clear roles and responsibilities
- Records of Processing Activities documenting what personal data you hold and why
- Data Protection Impact Assessments for high-risk processing activities
- Supplier due diligence and data processing agreements with all third parties handling your data
What happens when you get it wrong?
The ICO has issued fines ranging from thousands to millions of pounds for Article 32 failures. Common findings in enforcement actions include failure to implement MFA, unencrypted personal data, absence of access controls, failure to patch known vulnerabilities and inadequate staff training.
Beyond fines, a breach requiring ICO notification creates significant reputational risk, client notification obligations and potential civil claims from affected individuals. The cost of a breach consistently exceeds the cost of the security measures that would have prevented it.
How Octa1ne supports GDPR compliance
Octa1ne uses Microsoft Purview to discover, classify and protect personal data across your Microsoft environment automatically — enforcing DLP policies, monitoring for data exfiltration and generating the audit evidence your DPO and auditors require. Our compliance service maintains your GDPR technical controls continuously, not just at audit time.
The Octa1ne security team comprises certified analysts, engineers and security specialists delivering managed cybersecurity services to organisations worldwide.
Book a free security assessment →