Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Security measures

Learn about security measures under the GDPR.

πŸ” Introduction

The GDPR (Article 32) requires data controllers and processors to guarantee the security of personal data through appropriate technical and organisational measures. These measures must be proportionate to the risks presented by the processing, the nature of the data and the purposes pursued.

🎯 Objective: ensure the confidentiality, integrity, availability and resilience of systems and data.

βš–οΈ A risk-based approach

Before choosing measures, you must:

  1. Identify the elements to protect (data, systems, flows).

  2. Assess the threats and vulnerabilities (human error, attack, failure, etc.).

  3. Determine the potential impacts (loss, disclosure, alteration…).

  4. Choose appropriate measures to reduce these risks to an acceptable level.

🧩 The GDPR does not prescribe a fixed list of measures: it imposes a reinforced obligation of means. Each organisation must adapt its approach to its context and be able to demonstrate it.

🧱 Categories of security measures

πŸ”§ Technical measures

Domain
Examples

Access control

Strong authentication (MFA), rights management, logging

Encryption

Data at rest and in transit, TLS certificates, managed and renewed keys

Pseudonymisation / anonymisation

Logical separation, hashing, tokens

Backups and resilience

Regular backups, restoration tests, redundancy

Application security

Penetration tests, patches, server hardening

Monitoring

SIEM, alerts for abnormal access, incident detection

🧭 Organisational measures

Domain
Examples

Security policy

IT charter, information security governance, incident management plan

Training & awareness

Internal campaigns, e-learning modules, phishing simulations

Third-party management

Contractual clauses, processor audits, regular assessments

Internal procedures

Authorisation process, business continuity plan, periodic review

🏒 Physical measures

Domain
Examples

Physical access

Badge control, CCTV, restricted areas

Hardware protection

Safes, secured racks, backup power supplies

Secure destruction

Shredding, certified erasure, IT waste management

πŸ” Security management cycle

  1. Identify: data, systems, vulnerabilities, threats.

  2. Assess: risks and potential impacts.

  3. Protect: define and apply security measures.

  4. Monitor: detect incidents, audit controls.

  5. Improve: correct, strengthen, document actions.

πŸ’Ό Security measures in Dastra

  • 🧩 Map your measures in the record of processing activities, by activity or by processor.

  • πŸ” Assess risks with the risk management module.

  • 🧠 Plan corrective actions and track their progress.

  • 🧾 Trace compliance evidence (policies, audits, proof of execution).

πŸ“š Useful resources

πŸ’‘ Good practice: Every new project, processor or tool must be subject to a risk assessment and an update of the associated measures.

Last updated

Was this helpful?