GDPR IT Security Checklist 2026 — Article 32 in Practice

Cybersecurity & Compliance · May 2026 · 14 min read

← Part of the Cybersecurity Guide
Martin Keller By Martin Keller · Reepa Solutions

GDPR Article 32 requires "appropriate technical and organisational measures" — what this means in practice is deliberately left open in the legislative text. That ambiguity is intentional, because the obligation must be interpreted in proportion to risk. For day-to-day operations, however, it is uncomfortable: mid-market companies receive no ready-made list to tick off. This checklist closes that gap. Fourteen points that are audited in DACH mid-market organisations, that are relevant in every supervisory inspection, and that protect against fines. The broader cybersecurity context is covered in our Cybersecurity Guide for Mid-Market Companies; for a demarcation from NIS2 see our article NIS2 for Mid-Market Companies.

What GDPR Article 32 Actually Requires

Article 32 specifies four protection objectives for personal data: confidentiality, integrity, availability, and resilience. To achieve these, "appropriate measures" must be taken, "taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons".

In plain language: the measures must match the risk. A small tax consultancy with 200 clients needs less than a mid-size insurance company with 50,000 customer records. But every organisation needs something — and must be able to justify and document its choice of measures.

Article 32 names four concrete examples: pseudonymisation and encryption, ongoing confidentiality and availability, rapid restoration after an incident, and procedures for regularly reviewing effectiveness. These four are not exhaustive, but they are the minimum standard.

The 14-Point Self-Assessment Checklist

This checklist covers the TOM expectations of German supervisory authorities. Any organisation that can answer all fourteen points with "fulfilled" and can substantiate that with documentation is protected against moderate audit findings.

Have your GDPR TOMs reviewed in a structured audit

We audit your 14 TOM areas in a two-to-four-week engagement and deliver a written findings report with prioritised recommendations. Suitable as preparation for a supervisory inspection or as evidence for cyber insurance.

Request a GDPR audit

Common Audit Findings from Practice

Certain findings recur consistently in our audits of German mid-market companies. Avoiding these classics eliminates the most likely audit findings.

Missing full disk encryption on older laptops. New devices are usually provisioned correctly; older ones from 2019–2021 are often not retrofitted. When an unencrypted laptop containing customer data is lost, notification is mandatory and the fine risk is significant.

Cloud storage without a permissions framework. SharePoint, OneDrive, and Google Drive are frequently used as shared storage without structured access rights. Employees have access to everything because that was convenient at the start. In the event of staff turnover or an insider incident, the burden of proof becomes difficult.

Backups without restore testing. Backups run daily — but no one has verified in the past two years whether they are actually restorable. In a real incident it turns out that backups are inconsistent or that recovery keys have been lost.

Data processing agreements with incorrect content. Standard contracts from cloud providers (Microsoft, Google, AWS) are accepted without scrutiny, without validating the TOM annex or checking for German data residency. In Schrems II-related supervisory inspections this is one of the most frequent findings.

No documented effectiveness review. TOMs are documented, but no one has checked whether they still apply. The records of processing activities are from 2019 and describe an IT landscape that no longer exists. Authorities treat this as "insufficient diligence" and can use it to justify an increased fine.

Records of Processing Activities under Article 30 — the Mandatory Documentation

The records of processing activities are the central compliance document. In every supervisory inspection it is the first requirement — organisations that do not have it immediately face a notifiable deficiency.

Mandatory content per processing activity: name and purpose of the processing, legal basis (consent, contract, legitimate interest, statutory obligation), categories of data subjects and data, recipients (internal and external), transfers to third countries, retention periods, technical and organisational measures.

In practice, 30 to 80 processing activities are typical for a mid-market company. HR administration, payroll, customer management, newsletters, applicant management, supplier management, IT logging, video surveillance, time tracking — each of these is a separate processing activity with its own documentation. In our GDPR audits we provide an Excel template covering all typical processing activities as a starting point.

Reporting Data Breaches — the 72-Hour Obligation

In the event of a data protection incident posing a risk to data subjects, Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of the incident. Where the risk is high, the data subjects themselves must also be informed under Article 34.

What counts as a notifiable data breach? Loss or theft of data carriers containing personal data, unauthorised access by internal or external persons, accidental disclosure (for example an incorrect email distribution list), ransomware encryption where the availability of the data is affected, technical errors resulting in a data leak.

The 72-hour clock starts when the incident becomes known — not when it is confirmed. An organisation that learns of an incident on Friday evening and waits until Monday has missed the deadline. In practice: a documented procedure that also works on weekends, with clear accountability and a pre-prepared notification form from the competent supervisory authority.

Important: if an incident has both GDPR and NIS2 relevance (for example because personal data was compromised and a NIS2-obligated sector is simultaneously affected), both notification obligations apply in parallel — to different authorities, with different deadlines and different content requirements.

GDPR versus NIS2 — What Applies Where

Both frameworks protect different values and follow different logic. Understanding the distinction is essential for mid-market companies operating in NIS2 sectors.

GDPR protects personal data — customer names, employee data, supplier contacts, newsletter subscribers. Every company that processes such data is subject to GDPR. Supervisory authority: the relevant state data protection authority. Fine threshold: up to 20 million euros or 4 percent of annual turnover.

NIS2 protects the operational continuity of critical services — the availability of the IT infrastructure that a sector needs to fulfil its functions. Applies only to medium and large companies in 18 defined sectors. Supervisory authority in Germany: the BSI. Fine threshold: up to 10 million euros or 2 percent of annual turnover.

The overlap: many NIS2 obligations coincide with GDPR TOM expectations. An organisation with a solid GDPR implementation is already a good way towards NIS2 compliance. An organisation that fully implements NIS2 will almost automatically satisfy the GDPR TOM obligations. We leverage exactly this synergy in our compliance packages — one consolidated implementation plan instead of two parallel projects.

Frequently Asked Questions

What are technical and organisational measures (TOM)?

TOMs are all measures to protect personal data that are mandatory under GDPR Article 32. Technical measures include encryption, access control, and backup. Organisational measures include training, access permission frameworks, and contracts with data processors. Both must be documented and regularly reviewed for effectiveness.

How high are GDPR fines for IT security deficiencies?

The maximum fine threshold is 20 million euros or 4 percent of global annual turnover (whichever is higher). In practice, moderate TOM deficiencies result in fines of 50,000 to 500,000 euros — depending on severity, number of data subjects affected, intent, and cooperation with the authority.

Do we have to report every data breach?

No — notification is only required when there is a risk to the rights and freedoms of the data subjects. For encrypted data without key loss, or purely internal incidents without data exfiltration, notification may not be required. The assessment should be documented, and in cases of doubt it is better to report — supervisory authorities penalise missing notifications, not excessive ones.

How do GDPR and NIS2 differ?

GDPR protects personal data and applies to every data processor. NIS2 protects the operational continuity of critical services and applies to medium and large companies in 18 sectors. In the event of a security incident, both notification obligations may apply simultaneously — GDPR under Article 33 within 72 hours to the data protection authority, NIS2 in a three-stage process to the BSI reporting office.

Do we need a Data Protection Officer?

A Data Protection Officer is mandatory for organisations with 20 or more employees engaged in continuous processing of personal data, or where core activities involve large-scale processing of sensitive data — regardless of headcount. Even where not mandatory, appointing one is often advisable in practice to ease the burden of proof with authorities.

How often should TOMs be reviewed?

At least once a year and after every significant organisational or technical change. For security-relevant changes (new application, new data processor, cloud migration), a TOM review should be part of the change process. We recommend semi-annual reviews as a sensible middle ground.

Implement GDPR and NIS2 in a single project — not two in parallel

We deliver consolidated compliance packages that implement the TOM obligations of both frameworks jointly. One asset inventory, one risk register, one control matrix. Instead of two consultants running in parallel: one partner with consolidated reporting.

Request compliance consulting
Martin Keller
Martin Keller · Backend & Cloud Architect · Reepa Solutions

IT security and cloud architect with over ten years of experience. Develops Reepa Security with his team — an offensive audit platform for mid-market companies. Writes regularly about GDPR, NIS2, cloud security, and penetration testing methodology.

Reviewed on: 22 May 2026 · More about Martin

More from our knowledge hubs

🛡
Security
Cybersecurity
15 articles →
🧠
Artificial Intelligence
AI for Mid-Market
15 articles →
Infrastructure
Cloud & DevOps
15 articles →
💻
Development
Software Development
15 articles →