GDPR Article 32 requires "appropriate technical and organizational measures" to protect personal data. But what does "appropriate" mean? This ambiguity is both a blessing and a curse. Your DPO probably focuses on legal and organizational aspects - consents, privacy notices, records of processing activities. But GDPR's technical requirements are equally important, and often underestimated.
The technical measures GDPR implies
Reading GDPR through the lens of a security engineer, the implicit technical requirements are clear: data encryption at rest and in transit (Article 32.1.a), ability to restore data in a timely manner (32.1.c) - which means tested backups, not just backups done. Process for regularly testing the effectiveness of measures (32.1.d) - which means periodic vulnerability assessments and penetration testing. And most importantly: detection and response - because GDPR requires data breach notification within 72 hours (Article 33). How do you notify within 72 hours if you do not even know you have been breached?
The gap between compliance and security
In my experience working with Italian SMEs, I often see companies that are "GDPR compliant" on paper but do not have: centralized log monitoring, data breach detection capabilities, tested incident response procedures, end-to-end encryption on critical channels. They are compliant in the legal sense but vulnerable in the technical sense. And when the breach comes, "paper compliance" does not protect from penalties - because the Data Protection Authority will evaluate whether the technical measures were truly "appropriate."
The convergence of GDPR and NIS2 makes this even more urgent. Companies that invested in technical security for GDPR have an advantage in NIS2 compliance. Those that treated GDPR as a purely legal exercise now find themselves with a double gap to close. The advice is simple: involve a technical security expert in your data protection program. The DPO and the CISO should work together, not in separate silos.
If you want to dive deeper into this topic or need specialized consulting, let us talk.
Let's talk →