GDPR Compliance & Article 28 Security Measures
GDPR Article 28 security measures and data protection compliance consulting for controllers, processors, and organizations navigating EU data protection requirements.
Bell Tower engineers data protection programs aligned to GDPR Article 28 security requirements for controllers, processors, and organizations handling EU personal data.
What We Deliver
- Article 28 Security Assessment: Comprehensive evaluation of processor security measures per Article 28(3)(c) including encryption, availability, access controls, and incident response
- Data Processing Agreement (DPA) Engineering: Legally-sound DPAs with required Article 28 clauses, subprocessor governance, and audit rights documentation
- Records of Processing Activities (ROPA): Complete inventory of processing activities per Article 30 with lawful basis mapping and retention schedules
- Data Protection Impact Assessment (DPIA): Systematic evaluation of high-risk processing operations with mitigation strategies and supervisory authority consultation preparation
- Breach Notification Readiness: 72-hour notification workflows, documentation procedures, and supervisory authority communication protocols per Article 33
GDPR Article 28 Implementation
Bell Tower’s GDPR compliance consulting addresses the security obligations that processors must implement per Article 28(3)(c). We start with an assessment of your current technical and organizational measures against GDPR requirements: encryption of personal data, ongoing confidentiality and integrity assurance, availability and resilience of processing systems, and regular security testing.
We engineer security controls that satisfy Article 28 without over-engineering. For controllers, we ensure your processors demonstrate compliance through documented security measures, subprocessor inventories, and audit cooperation clauses. For processors, we implement the technical measures required to satisfy controller contracts: data segregation, access logging, pseudonymization capabilities, and secure deletion procedures.
For organizations already aligned to NIST CSF or ISO 27001, we provide crosswalk documentation showing how existing controls satisfy Article 28 requirements—demonstrating compliance while avoiding redundant certification efforts.
GDPR to Framework Crosswalks
GDPR Article 28 security requirements map directly to major security frameworks:
| GDPR Requirement | Article Reference | NIST CSF Mapping | ISO 27001 Mapping | Control Description |
|---|---|---|---|---|
| Encryption | Art. 32(1)(a) | PR.DS | A.10.1 | Pseudonymization and encryption of personal data |
| Confidentiality | Art. 28(3)(c) | PR.AC | A.9.4 | Ensuring ongoing confidentiality of processing |
| Integrity | Art. 32(1)(b) | PR.IP | A.12.2 | Maintaining processing systems integrity |
| Availability | Art. 32(1)(c) | PR.IP | A.12.3 | Availability and access restoration capabilities |
| Access Controls | Art. 32(1)(d) | PR.AC | A.9.2 | Regular testing and access review procedures |
| Breach Detection | Art. 33 | DE.CM | A.16.1 | Personal data breach detection and notification |
| DPIA | Art. 35 | ID.RA | A.12.6 | Data Protection Impact Assessment for high-risk processing |
| ROPA | Art. 30 | ID.AM | A.12.1 | Records of processing activities maintenance |
We map your current security program to GDPR requirements, identifying gaps between framework alignment and supervisory authority expectations.
Article 28 Security Measures Examples
GDPR Article 28(3)(c) requires processors to implement specific security measures. We engineer controls that satisfy these requirements:
Example: Encryption Implementation
Requirement: Pseudonymization and encryption of personal data (Art. 32(1)(a))
Implementation: AES-256 encryption at rest for all personal data stores, TLS 1.3 for data in transit, field-level encryption for sensitive categories
Evidence: Encryption configuration documentation, key management procedures, cryptographic module validation
Audit Trail: Access logs showing encryption enforcement, key rotation schedules
Example: Access Control & Confidentiality
Requirement: Ongoing confidentiality and access limitation (Art. 28(3)(c))
Implementation: Role-based access controls (RBAC), least privilege enforcement, MFA for all personal data access, regular access reviews
Evidence: Access control matrix, user provisioning/deprocedures, quarterly access attestation records
Audit Trail: Authentication logs, failed access attempts, privilege escalation monitoring
Example: Availability & Resilience
Requirement: Ability to restore availability and access timely (Art. 32(1)(c))
Implementation: Redundant processing systems, automated backups with tested restoration, disaster recovery procedures with RPO/RTO targets
Evidence: Backup restoration test results, failover procedure documentation, resilience testing reports
Audit Trail: System availability metrics, incident response logs, recovery time documentation
Audit Evidence Library
Supervisory authority investigations and Data Protection Authority (DPA) audits require proof of ongoing compliance. We build evidence libraries organized by Article:
| GDPR Requirement | Evidence Type | Source | Owner | Refresh Cadence |
|---|---|---|---|---|
| Art. 28(3)(c) | Security measures documentation, technical specifications | IT Security | DPO/Security Officer | Annual |
| Art. 30 | Records of processing activities, data flow diagrams | Data governance | DPO | Quarterly |
| Art. 32 | Security policy, risk assessment, penetration test results | Risk management | CISO/DPO | Annual |
| Art. 33 | Breach register, incident response logs, notification records | Security operations | DPO | Per event |
| Art. 35 | DPIA documentation, mitigation measures, consultation records | Privacy engineering | DPO | Per new processing |
| Art. 37 | DPO appointment records, contact details, publication | Legal/HR | Legal Counsel | As needed |
Data Processing Agreements (DPA)
Article 28 mandates specific clauses in controller-processor contracts. We engineer DPAs that satisfy regulatory requirements:
Required Article 28(3) Clauses:
- Processing subject matter, duration, nature/purpose, data categories, controller obligations
- Processor obligation to process only on documented controller instructions
- Confidentiality commitments for personnel accessing personal data
- Security measures implementation per Article 32 (encryption, access controls, availability)
- Subprocessor engagement conditions: prior specific or general authorization, same data protection obligations
- Assistance with data subject rights requests, DPIAs, and supervisory authority consultations
- Data return or deletion procedures upon contract termination
- Audit and inspection rights with information provision obligations
We ensure your DPAs include subprocessor governance (Art. 28(2)), international transfer safeguards (Chapter V), and documented security measure specifications that satisfy both contractual and regulatory requirements.
Cross-Border Data Transfers
GDPR Chapter V requires adequate protection for personal data transfers outside the EEA. We engineer transfer mechanisms:
Standard Contractual Clauses (SCCs):
- EU Commission 2021 SCCs for controller-to-processor and controller-to-controller transfers
- Module-specific implementation based on processing roles and transfer scenarios
- Transfer Impact Assessments (TIAs) documenting destination country law analysis
- Supplementary measures for jurisdictions with concerning surveillance laws
Adequacy Decisions:
- Reliance on EU Commission adequacy decisions where available (UK, selected countries)
- Ongoing monitoring of adequacy status and potential revocation impacts
- Fallback transfer mechanisms for adequacy decision lapses
Binding Corporate Rules (BCRs):
- For multinational organizations with intra-group transfers
- Policy documentation, approval procedures, and DPA notification requirements
We ensure your cross-border data transfer program satisfies Schrems II requirements with documented Transfer Impact Assessments and supplementary technical measures where necessary.
From Automation to Auditor
Compliance automation tools help, but supervisory authority auditors require context and procedural documentation. We bridge the gap:
- ROPA Maintenance: Converting system inventories into Article 30-compliant records with lawful basis mapping, retention periods, and security measure descriptions
- DPIA Documentation: Systematic evaluation methodology for high-risk processing with documented mitigation measures and DPO consultation records
- Breach Assessment: 72-hour notification decision workflows with documented risk assessment for data subject harm determination
- Processor Due Diligence: Vendor assessment methodology documenting Article 28 compliance validation and subprocessor oversight
Why Bell Tower for GDPR
GDPR compliance requires ongoing operation, not just documentation. We ensure your team understands:
- How to maintain ROPA when processing activities change or new systems are implemented
- DPO responsibilities and independence requirements under Article 37-39
- Data subject rights request workflows (access, rectification, erasure, portability, objection) per Articles 15-22
- Cross-border transfer mechanism selection and Transfer Impact Assessment methodology
- Supervisory authority notification procedures and documentation standards
Your compliance program belongs to you. We engineer the controls, document the evidence, and ensure your team can operate it independently—prepared for Data Protection Authority audits, processor due diligence, and data subject requests.
Related Resources
- NIST Cybersecurity Framework — Map existing NIST CSF controls to GDPR Article 28 requirements
- ISO 27001 — Leverage ISO 27001 certification for GDPR security measure demonstration
- Regulatory Compliance Crosswalk — Compare requirements across GDPR, HIPAA, FINRA/SEC, and other frameworks
Frequently Asked Questions
What are the key differences between controller and processor obligations under GDPR?
Controllers determine the purposes and means of processing personal data, bearing primary responsibility for compliance including data subject rights, lawful basis determination, and DPIA conduct. Processors handle data on controller instructions, with obligations limited to Article 28 security measures, subprocessor management, and controller assistance. Both share liability for security breaches, but controllers remain accountable to data subjects and supervisory authorities.
When is a Data Protection Impact Assessment (DPIA) required?
GDPR Article 35 mandates DPIAs for processing likely to result in high risk to rights and freedoms, including: systematic profiling with significant effects, large-scale processing of sensitive categories, extensive systematic monitoring of public areas, and processing on the DPA’s published high-risk list. We engineer DPIA methodologies that identify high-risk processing, evaluate necessity and proportionality, assess risks to individuals, and identify mitigating measures.
What triggers the 72-hour breach notification requirement?
Article 33 requires controller notification to supervisory authorities within 72 hours of becoming aware of a personal data breach likely to result in risk to rights and freedoms. Risk determination considers breach severity, sensitivity of data, ease of identification, and potential consequences. We engineer breach assessment workflows with documented risk criteria, notification templates, and escalation procedures that satisfy timing requirements while avoiding unnecessary notifications.
How do Standard Contractual Clauses work for international transfers?
SCCs are contractual safeguards approved by the EU Commission that provide appropriate protection for personal data transfers outside the EEA. The 2021 SCCs include four modules for different transfer scenarios and require Transfer Impact Assessments evaluating destination country laws. We engineer SCC implementation with Module selection, supplementary technical measures, and documented TIAs that satisfy post-Schrems II requirements.
Does GDPR require encryption of all personal data?
Article 32 requires “appropriate” security measures considering processing risks, not blanket encryption. Encryption is listed as a potential measure alongside pseudonymization, access controls, and resilience testing. We engineer risk-based encryption strategies that protect high-risk processing (health data, financial data, children’s data) while documenting rationale for alternative measures where encryption is technically infeasible—always ensuring the security level satisfies Article 28 processor obligations.
Preparing for a Data Protection Authority audit or implementing Article 28 security measures? Contact us to discuss your current data protection posture and evidence readiness.