CIPP/E Domain 2: Protecting Personal Data: Security Measures

In today’s digital ecosystem, protecting personal data is a must; not just to follow the law, but to earn customer trust, protect business reputation, and operational integrity. The GDPR makes it clear that writing privacy policies and locking systems is not enough. Organizations need to demonstrate that they handle personal data safely and responsibly.

That’s where security and accountability come in. Security is about keeping personal data safe from breaches, misuse, and unlawful access. Accountability requires organizations to demonstrate that their privacy practices are effective, embedded, and up to date. Domain 2 of the CIPP/E curriculum dives deep into the Security of Personal Data.

Before exploring security measures, it is important to understand the data being protected. In our previous blog, we discussed the GDPR fundamentals. This article takes the next step by focusing on how organizations can protect that personal data through practical security measures, breach readiness, vendor oversight, and secure data-sharing practices.

1. Appropriate Technical and Organizational Measures

Under Article 32, GDPR mandates that both controllers and processors enforce appropriate technical and organizational measures to secure personal data. These are not fixed prescriptions but must be risk-based, factoring in the nature of the data, potential threats, current technological standards, and cost.

Key Protection Mechanisms Include:

• Encryption
• Pseudonymization and Data Masking (Pseudonymization was discussed in our previous blog)
• Role-based Access Controls
• Firewalls & Intrusion Detection
• Endpoint Protection
• Backup & Recovery
• Ransomware resilience
• Security Information and Event Management (SIEM)
• Zero Trust access principles
• Data loss prevention
• Secure cloud configuration
• Vulnerability management and patching
• Employee confidentiality and security awareness

AI and Automated Processing Security Risks

As organizations increasingly use AI tools, automated decision-making systems, analytics platforms, and cloud-based applications, personal data security must also cover AI-related risks. This includes preventing employees from entering sensitive data into unauthorized AI tools, limiting access to training datasets, monitoring AI outputs for possible data leakage, and ensuring that automated systems follow GDPR principles such as data minimization, purpose limitation, transparency, and security by design.

2. Breach Notification

GDPR has a strong transparency focus. Articles 33 and 34 introduce breach notification duties.

Article 33: Notify the Regulator

• Controllers should inform the relevant supervisory authority within 72 hours of identifying a personal data breach
• Processors should alert the controller as soon as possible after discovering a personal data breach.
• Required only if the breach is likely to risk individuals’ rights or freedoms
• Even if you don’t report, you must keep a record of every breach

Article 34: Notify the Individuals

• Notify affected people if the risk is high
• Example: Medical records leaked? Notify. Encrypted data lost? Likely no need to.

3. Vendor Management (Controller-Processor Relationships)

If you use third-party vendors to process personal data, you’re still responsible for what happens to it. Article 28 governs how controllers must engage with processors:

• Only use processors offering “sufficient guarantees” of security.
• Contractual obligations must include:
  • Acting only under the controller’s instructions
  • Implementing appropriate TOMs
  • Assisting with breach notifications
  • Allowing audits

Effective Vendor Management Includes

• Due Diligence: Vetting processors’ security credentials, past breaches, and certifications (ISO 27001, PCI DSS)
• Contracts: Must specify security expectations, breach processes, and audit rights
• Ongoing Oversight: Periodic assessments and audits to ensure compliance

4. Data Sharing

Sharing data is not just a legal agreement; it is a security challenge. Whether you are transferring data to another EU entity, a third-party vendor, or across borders, risks multiply.

Common issues in data sharing:

• Data in transit is not encrypted
• Missing responsibilities between joint controllers
• Cloud services with unclear data handling

When data is shared, especially cross-border, risks like government surveillance, loss in transit, or unauthorized access increase. Security measures must be designed accordingly, especially for large-scale or sensitive data processing.

EU Data Act Impact on Data Sharing

The EU Data Act creates new expectations around data access, sharing, and cloud switching. However, when shared data includes personal data, GDPR continues to apply. Organizations must ensure that data sharing is lawful, secure, transparent, and limited to what is necessary. This makes data mapping, access control, encryption, contract clarity, and transfer safeguards even more important.

To be continued: Understanding Controllers and Processors Under GDPR

In Conclusion:

Protecting personal data under GDPR requires more than basic cybersecurity. Organizations must apply risk-based technical and organizational measures, monitor vendors, prepare for breaches, secure data sharing, and maintain clear accountability across the processing lifecycle. In 2026, this responsibility is even broader as AI tools, cloud platforms, cross-border transfers, and data-sharing regulations introduce new privacy and security risks. A strong privacy program should therefore combine encryption, access control, monitoring, breach readiness, vendor governance, and privacy-by-design practices to protect individuals and demonstrate compliance.

CIPP/E Certification Training with InfosecTrain

Enroll in InfosecTrain’s CIPP European Privacy Certification Training to master GDPR compliance, personal data security, and accountability. Gain expert insights, practical skills, and exam readiness to advance your career in privacy and data protection. These concepts are also covered in our CIPT and DPO hands-on training courses; enroll now to deepen your expertise.

TRAINING CALENDAR of Upcoming Batches For CIPP European Privacy Online Training

Start Date	End Date	Start - End Time	Batch Type	Training Mode	Batch Status
13-Jul-2026	28-Jul-2026	20:00 - 22:00 IST	Weekday	Online	[ Close ]
08-Aug-2026	29-Aug-2026	09:00 - 13:00 IST	Weekend	Online	[ Open ]	Enroll Now
07-Sep-2026	22-Sep-2026	20:00 - 22:00 IST	Weekday	Online	[ Open ]	Enroll Now
10-Oct-2026	25-Oct-2026	09:00 - 13:00 IST	Weekend	Online	[ Open ]	Enroll Now
16-Nov-2026	01-Dec-2026	20:00 - 22:00 IST	Weekday	Online	[ Open ]	Enroll Now
05-Dec-2026	20-Dec-2026	09:00 - 13:00 IST	Weekend	Online	[ Open ]	Enroll Now