GDPR A32-03: Ongoing Confidentiality, Integrity, Availability & Resilience
GDPR Article 32 requires you to maintain continuous protection of personal data processing systems against unauthorized access, modification, and downtime. This control ensures your infrastructure remains secure and operational throughout the data lifecycle. Meeting A32-03 means implementing technical and organizational safeguards that demonstrate accountability to regulators and protect your organization from breaches.
What this means
This control mandates implementing and maintaining measures that protect personal data processing systems across four dimensions: confidentiality (preventing unauthorized access), integrity (preventing unauthorized modification), availability (ensuring systems remain operational), and resilience (enabling recovery from incidents). These measures must be continuously monitored and updated as threats evolve and your organization scales.
How to comply
- 1.Encrypt personal data both in transit (TLS/SSL) and at rest using industry-standard algorithms
- 2.Implement access controls and authentication mechanisms (MFA, RBAC) to limit system access to authorized personnel
- 3.Deploy monitoring and logging tools to detect and record unauthorized access or modification attempts
- 4.Establish backup and disaster recovery procedures with documented RTO/RPO targets and regular testing
- 5.Conduct regular security assessments and penetration testing to identify vulnerabilities
- 6.Implement network segmentation and firewalls to isolate systems handling personal data
- 7.Define and enforce data retention policies aligned with legal requirements
- 8.Maintain an inventory of all systems processing personal data and their security controls
- 9.Document all security measures and controls with evidence of implementation and testing
Evidence auditors look for
- Encryption certificates and TLS/SSL configuration documentation
- Access control policies and role-based access lists
- Security audit logs showing monitoring of system access and changes
- Backup and disaster recovery test reports with timestamps
- Penetration testing reports from past 12 months
- Network diagrams showing segmentation and firewall rules
- Data retention schedules and deletion confirmation logs
- System inventory spreadsheet with assigned security controls
- Incident response plans and breach notification procedures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates continuous monitoring of your data systems' security controls, logs evidence of encryption and access controls in real-time, and flags lapses in backup testing—so you stay audit-ready without manual spreadsheets.
See how GRCWatch handles this control automatically
Start free trial