> For the complete documentation index, see [llms.txt](https://doc.dastra.eu/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.dastra.eu/en/useful-reminders/gdpr-key-concepts/security-measures.md).

# Security measures

### 🔍 Introduction

The GDPR (Article 32) requires data controllers and processors to **guarantee the security of personal data** through **appropriate technical and organisational measures**. These measures must be **proportionate to the risks** presented by the processing, the **nature of the data** and the **purposes pursued**.

> 🎯 Objective: ensure the **confidentiality**, **integrity**, **availability** and **resilience** of systems and data.

***

### ⚖️ A risk-based approach

Before choosing measures, you must:

1. Identify the **elements to protect** (data, systems, flows).
2. Assess the **threats and vulnerabilities** (human error, attack, failure, etc.).
3. Determine the **potential impacts** (loss, disclosure, alteration…).
4. Choose **appropriate measures** to reduce these risks to an acceptable level.

> 🧩 The GDPR does not prescribe a fixed list of measures: it imposes a **reinforced obligation of means**. Each organisation must **adapt** its approach to its context and be able to **demonstrate** it.

***

### 🧱 Categories of security measures

#### 🔧 Technical measures

| Domain                               | Examples                                                                |
| ------------------------------------ | ----------------------------------------------------------------------- |
| **Access control**                   | Strong authentication (MFA), rights management, logging                 |
| **Encryption**                       | Data at rest and in transit, TLS certificates, managed and renewed keys |
| **Pseudonymisation / anonymisation** | Logical separation, hashing, tokens                                     |
| **Backups and resilience**           | Regular backups, restoration tests, redundancy                          |
| **Application security**             | Penetration tests, patches, server hardening                            |
| **Monitoring**                       | SIEM, alerts for abnormal access, incident detection                    |

***

#### 🧭 Organisational measures

| Domain                     | Examples                                                              |
| -------------------------- | --------------------------------------------------------------------- |
| **Security policy**        | IT charter, information security governance, incident management plan |
| **Training & awareness**   | Internal campaigns, e-learning modules, phishing simulations          |
| **Third-party management** | Contractual clauses, processor audits, regular assessments            |
| **Internal procedures**    | Authorisation process, business continuity plan, periodic review      |

***

#### 🏢 Physical measures

| Domain                  | Examples                                          |
| ----------------------- | ------------------------------------------------- |
| **Physical access**     | Badge control, CCTV, restricted areas             |
| **Hardware protection** | Safes, secured racks, backup power supplies       |
| **Secure destruction**  | Shredding, certified erasure, IT waste management |

***

### 🔁 Security management cycle

1. **Identify**: data, systems, vulnerabilities, threats.
2. **Assess**: risks and potential impacts.
3. **Protect**: define and apply security measures.
4. **Monitor**: detect incidents, audit controls.
5. **Improve**: correct, strengthen, document actions.

***

### 💼 Security measures in Dastra

* 🧩 **Map** your measures in the **record of processing activities**, by activity or by processor.
* 🔍 **Assess risks** with the risk management module.
* 🧠 **Plan corrective actions** and track their progress.
* 🧾 **Trace compliance evidence** (policies, audits, proof of execution).

***

### 📚 Useful resources

* [ICO – Guide to data security](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/)
* [ISO/IEC 27001 – Information security management systems](https://www.iso.org/isoiec-27001-information-security.html)
* [ENISA – Recommendations on cybersecurity](https://www.enisa.europa.eu/)

***

{% hint style="success" %}
💡 **Good practice:** Every new project, processor or tool must be subject to a risk assessment and an update of the associated measures.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doc.dastra.eu/en/useful-reminders/gdpr-key-concepts/security-measures.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.