Guide: Data Privacy

Security of Processing

The General Data Protection Regulation (GDPR) is a comprehensive data protection law implemented by the European Union in 2018. It applies to all organizations operating within the EU, as well as those outside of the EU that process the personal data of EU citizens. One of the key aspects of the GDPR involves the emphasis on the security of data processing. Organizations must implement technical and organizational measures to protect the personal data they process and store from unauthorized access, alteration, or destruction. This article covers the GDPR Security of Processing requirement by discussing the following topics:
To learn more about Data Privacy with Satori read our Data Privacy Guide.

What is the Security of Processing Under the GDPR?

Security of Processing under the GDPR refers to the technical and organizational measures that organizations must implement to protect personal data from unauthorized access, alteration, or destruction. These measures aim to ensure the confidentiality, integrity, and availability of personal data.

The GDPR requires organizations to implement appropriate security measures proportionate to the risks associated with the processing of personal data. These measures should take into account the state of technology, the costs of implementation, and the nature, scope, context, and purposes of the processing.

Examples of security measures that organizations may implement include:


Organizations must also be able to demonstrate that they have implemented these measures and that they are effective in protecting personal data.

How to Determine the Appropriate Level of Processing Security

At first glance, the Security of Processing requirements outlined by the GDPR seems vague. But, this allows organizations more freedom to determine the most cost-effective method of maintaining security and adjusting their security measures based on new technologies. With a simple five-step process, any organization can determine the level of security they need for data processing under the GDPR:

  1. Risk assessment: Organizations must conduct a risk assessment to identify and evaluate the risks associated with their processing activities. To conduct this assessment, consider assigning numeric values to the associated risk related to different risk categories such as the sensitivity of data and the likelihood of a breach. With these numeric values, organizations can create security measures based on their specific security risks.

  2. Proportionality: Once the risks have been identified, organizations must implement appropriate technical and organizational measures proportionate to the risks. This means that the measures implemented should coincide with the level of risk. However, the GDPR allows organizations to scale back security measures if it places an undue burden on the organization.

  3. State-of-the-art: The GDPR requires organizations to consider the most up-to-date security technologies and best practices for processing data securely. To satisfy this requirement, organizations can show the efforts put into identifying currently available security technology and best practices. Then, document how the organization implemented these tools.

  4. Regular review: Organizations must regularly review and update their security measures to ensure that they remain effective in protecting personal data, and to take into account any changes in the risk profile or the state-of-the-art technology.

Common Difficulties Meeting GDPR Security of Processing Requirements

One common difficulty in meeting the GDPR security of processing requirements is understanding and interpreting the regulations themselves. The GDPR includes a lot of technical language as well as vague requirements that some organizations struggle to navigate. Additionally, some companies struggle to identify all of the personal data they collect and process, as well as ensure that it meets all protection requirements in the GDPR.

Another difficulty is ensuring that all third-party service providers, such as cloud service providers or data processors, also comply with the GDPR. Organizations must ensure that any third-party service providers they use also provide sufficient guarantees of data protection. This can cause difficulties in practice, especially when dealing with a large number of vendors.

Finally, organizations can struggle with incident management and reporting, such as detecting and responding to data breaches, as well as notifying the relevant authorities and affected individuals promptly. With the fast-paced nature of technology, it’s critical to have robust incident management and reporting procedures in place to ensure compliance with the GDPR in the event of a data breach.

Best Practices for Maintaining Security of Processing Compliance

Maintaining compliance with the Security of Processing requirements in the GDPR requires constant work. It’s not enough to create a security plan and then simply follow that plan forever. Organizations must regularly review their security measures, currently available security tools, and modern best practices. So, to ensure compliance, follow these best practices:


  • Conduct regular risk assessments: Regularly assess the risks to personal data and implement appropriate measures to mitigate those risks through conducting regular risk assessments.


  • Implement access controls: Implement controls to ensure that only authorized individuals can access personal data by implementing authentication and authorization mechanisms, and regularly reviewing and revoking access as necessary through access controls.


  • Encrypt personal data: Encrypt personal data both in transit and at rest to protect it from unauthorized access.


  • Implement incident response plans: Have plans in place to respond to data breaches and other security incidents, including procedures for reporting breaches to the relevant authorities, by implementing incident response plans.


  • Regularly train employees: Train employees on data protection and security best practices, including the proper handling of personal data and the procedures for reporting security incidents, by regularly training employees.


  • Appoint a Data Protection Officer (DPO): Appoint a Data Protection Officer (DPO) for organizations that process large amounts of personal data or whose core activities consist of data processing.


  • Regularly review and update policies and procedures: Regularly review and update data protection and security policies and procedures to ensure they remain effective.


  • Ensure third-party compliance: Ensure third-party compliance by ensuring that any third parties also maintain compliance with the GDPR.


The General Data Protection Regulation (GDPR) places a strong emphasis on the security of data processing. To maintain compliance, organizations must implement appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, or destruction. 

Satori’s data security platform can help maintain compliance with the Security of Processing requirements through automated access to data and discovering and classifying sensitive data to help you meet the GDPR requirements. 

To learn more:

Last updated on

February 14, 2023

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.