Article 32 · Deep dive

GDPR Article 32
for engineering teams.

Article 32 is the article most aimed at engineering — and the one most cleanly mapped to cloud controls you can actually verify. This is the paragraph-by-paragraph version: requirement, evidence schema, control IDs, agent prompts.

11 min read·Updated 2026-04·Cloud: AWS · Azure · GCP
The article

What "security of processing" actually says.

Article 32 doesn't tell you what to build. It says implement "appropriate technical and organisational measures" with reference to four named ones — pseudonymisation, encryption, CIA, restore — and then defers to risk assessment. That phrasing is what makes it confusing for engineers.

The phrasing is also what makes Article 32 the most-cited article in supervisory action. Below is the version where every paragraph is a concrete engineering surface, with the evidence supervisors actually look for.

Article 32(1)(a)

pseudonymisation + encryption

Implement pseudonymisation and encryption of personal data — TLS 1.2+ in transit, AES-256 at rest, KMS with key rotation ≤ 365 days.

Evidence schema
  • ·TLS termination policy
  • ·at-rest encryption per data store
  • ·KMS key + rotation config
  • ·pseudonymisation design doc
  • ·periodic review record
Control IDs

Cloud_Security: DP-3, DP-4, DP-5, DP-6 · NIST CSF: PR.DS-01 · OWASP: A04 cryptographic failures

Article 32(1)(b)

CIA — confidentiality, integrity, availability

Ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

Evidence schema
  • ·SLO definition
  • ·incident response runbook
  • ·integrity check / signing
  • ·replication topology
Control IDs

NIST CSF: PR.DS, PR.IP · ISO 27001: A.8.16, A.8.21

Article 32(1)(c)

restore in timely manner

Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

Evidence schema
  • ·backup config
  • ·restore test log (last 90 days)
  • ·documented RTO/RPO
Control IDs

NIST CSF: RC.RP-01 · ISO 27001: A.8.13, A.8.14

Article 32(1)(d)

periodic testing

Process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.

Evidence schema
  • ·pen-test report
  • ·scanner cadence
  • ·control-effectiveness review
Control IDs

NIST CSF: ID.RA, PR.IP-12 · ISO 27001: A.8.29

Article 32(2)

risk-based assessment

Risk assessment must consider risks of unauthorised access, accidental loss, alteration, or disclosure.

Evidence schema
  • ·threat model
  • ·risk register
  • ·assessment cadence
Control IDs

NIST CSF: ID.RA · ISO 27001: A.8.8

Article 32(4)

instruction-bound processing

Natural persons under controller authority process personal data only on documented instructions, with technical enforcement.

Evidence schema
  • ·IAM policy with purpose tags
  • ·audit log linking access to documented purpose
  • ·periodic access review record
Control IDs

Cloud_Security: PA-1, PA-7 · NIST CSF: PR.AC

The agent path

One bundle, one loop.

The full Article 32 surface is bundled in RuleMesh as access-control-security: 19 IT requirements, 89 evidence checks, 17 high-risk items, mapped to AWS, Azure, GCP, NIST CSF, and OWASP Top 10.

install + prompt
~/your-repo $ claude mcp add rulemesh

# in your agent:
Pull the access-control-security bundle from rulemesh. For each
requirement, walk the repo and infrastructure config, decide met /
partial / todo, capture evidence references, and submit signals.
Then print a markdown report grouped by paragraph (32(1)(a),
32(1)(b)...).
What this guide is not.
Not legal advice; not a substitute for a DPIA on high-risk processing; not the Records of Processing Activities (Article 30). Engineering's job is the execution layer — the place where Article 32 measures are actually enforced and where evidence is generated. The policy layer is owned upstream of the code.

Related

Run this loop on your codebase.

Free MCP install. No credit card. Start with the agent you already use.

Get started freearrow_forwardHow it works