Article 32 states the security measures that a controller must take. This is to protect the personal data they process.
The article mainly approaches security measures that the controller can implement during the process. Regarding what should be seen as appropriate security measures, the following factors should be considered:
- The cost of the implementation;
- the nature, scope, context and purposes of the processing;
- the risk and severity of the processing.
These factors should then be evaluated to decide which degree of security measures should be considered appropriate for the particular processing.
Pseudonymisation and encryption are two examples of measures that could be carried out by a controller to protect personal data.