Compliance Guide

GDPR Compliance for Endpoints

A Practical Guide to Article 32's Technical and Organisational Measures

GDPR Article 32 requires controllers and processors to implement "appropriate technical and organisational measures" to secure personal data, with fines reaching up to €20 million or 4% of global turnover for failures. This guide breaks down what that means at the endpoint level, and how Zecurit Endpoint Manager helps you demonstrate compliance.

Published byZecurit
CategoryCompliance & Regulation
AudienceIT Teams, DPOs, Compliance Officers

Why Article 32 Puts Endpoints Under the Microscope

At a Glance
  • Who is impacted: Any controller or processor handling the personal data of individuals in the EU or EEA, regardless of where the organisation itself is based.
  • What the law requires: Article 32 mandates "appropriate technical and organisational measures" covering encryption, access control, system resilience, and regular security testing, scaled to the risk of the processing.
  • Why endpoints matter now: Supervisory authorities routinely cite inadequate encryption, weak access controls, and missing security testing as Article 32 failures, often discovered only after a breach.
  • How Zecurit helps: BitLocker encryption, device control, access management, patch and vulnerability management, and audit-ready compliance reporting from a single agent and console.

The General Data Protection Regulation has been enforceable since 25 May 2018, and its reach extends to any organisation processing the personal data of EU and EEA residents, regardless of where that organisation is headquartered. Cumulative fines under the regulation have now passed €7.1 billion, with €1.2 billion issued in 2025 alone, and enforcement has only accelerated through 2026.

Unlike some frameworks that prescribe an exact checklist, GDPR's security requirement under Article 32 is deliberately principles-based: organisations must assess the risk their processing presents and implement measures proportionate to that risk. This flexibility is also why so many enforcement actions hinge on it. Supervisory authorities consistently find that organisations had security programmes in place, but that those programmes did not match the actual risk profile of the data being processed.

2026 Enforcement Reality: France's CNIL fined Free Mobile €27 million in 2026 as part of a €42 million enforcement package, citing insufficient technical and organisational measures, the exact language regulators use when an organisation's security controls do not match the risk profile of the data it processes. Having a security programme on paper is not the same as having one that holds up under scrutiny.

This guide maps Article 32's requirements to specific capabilities in Zecurit Endpoint Manager, so IT and compliance teams can turn a principles-based legal requirement into concrete, demonstrable endpoint controls.

Key Terminology Under GDPR

GDPR defines roles and concepts precisely, and Article 32's obligations apply differently depending on which role an organisation occupies:

  • Data Controller

    The entity that determines the purposes and means of processing personal data. Controllers carry primary accountability for compliance.

  • Data Processor

    An entity that processes personal data on behalf of a controller. Since 2018, processors carry direct, independent obligations under Articles 28 and 32, not just contractual ones.

  • Personal Data

    Any information relating to an identified or identifiable natural person, covering far more than just names and emails, including device identifiers and location data.

  • Technical and Organisational Measures (TOMs)

    The safeguards Article 32 requires: technical measures like encryption and access control, paired with organisational measures like training and policy.

  • Data Protection Officer (DPO)

    A designated role responsible for monitoring compliance, required for public authorities and organisations engaged in large-scale or high-risk processing.

  • Supervisory Authority

    The national data protection regulator in each EU member state (such as Ireland's DPC, France's CNIL, or Italy's Garante), coordinated by the European Data Protection Board.

Who Must Comply With GDPR?

GDPR's territorial reach is broader than its name suggests. It applies to:

  • Any organisation established in the EU or EEA, regardless of where processing occurs
  • Non-EU organisations offering goods or services to individuals in the EU
  • Non-EU organisations monitoring the behaviour of individuals in the EU
  • SaaS, e-commerce, and fintech platforms with EU customers
  • HR systems processing the data of EU-based employees
  • Cloud providers and IT vendors acting as data processors
  • Healthcare, insurance, and financial services handling EU resident data
  • Marketing, analytics, and advertising platforms processing EU user data
Penalty Exposure: GDPR fines are split into two tiers. Lower-tier violations, such as incomplete records of processing or missing DPIAs, carry fines of up to €10 million or 2% of global annual turnover. Higher-tier violations, which explicitly include Article 32 security failures, carry fines of up to €20 million or 4% of global annual turnover, whichever is greater. Regulators also retain the power to impose temporary or permanent processing bans, which for many businesses is more damaging than the fine itself.

Article 32's Four Protection Objectives

Article 32(1) does not hand organisations a fixed checklist. Instead, it requires measures that achieve four protection objectives, scaled to the risk the processing presents. Understanding these objectives makes it far easier to see where endpoint management fits.

Objective 01

Confidentiality

Protection against unauthorised access to personal data, achieved through encryption, access controls, and restrictions on how data can leave a device or network.

Objective 02

Integrity

Protection against unauthorised or accidental alteration of personal data, supported by configuration enforcement, change detection, and malware protection.

Objective 03

Availability

The ability to ensure personal data and processing systems remain accessible when needed, and to restore access promptly after a physical or technical incident.

Objective 04

Resilience and Testing

A process for regularly testing, assessing, and evaluating the effectiveness of security measures, rather than treating them as a one-time implementation.

2026 Enforcement Trends

Enforcement under GDPR has matured considerably since 2018. Several patterns have become especially clear through 2025 and 2026 that directly affect how endpoint security is evaluated by regulators.

What's Changed: The European Data Protection Board's 2026 coordinated enforcement action focuses on transparency obligations under Articles 12 to 14, but Article 32 security failures continue to feature in nearly every major fine involving a breach. Regulators are no longer satisfied that a security programme merely exists; they are actively evaluating whether its controls were proportionate to the actual risk and data volume involved.

Vendor and processor oversight has become a particular flashpoint. Supervisory authorities increasingly expect controllers to demonstrate active, continuous monitoring of processor security practices rather than relying on annual questionnaires or contractual assurances alone. When a Data Protection Authority requests evidence of encryption practices or access logging following an incident, the difference between producing a unified audit trail within minutes and reconstructing fragmentary evidence over weeks is frequently the difference between a mitigating factor and an aggravating one in the resulting fine calculation.

For IT teams, the practical implication is straightforward: documented, continuously-enforced endpoint controls, not point-in-time policy documents, are what regulators expect to see when something goes wrong.

Article 32 Requirements Mapped to Zecurit Endpoint Manager

The following sections translate Article 32's technical and organisational measures into the specific Zecurit capabilities that support each one.

Requirement 01

Encryption of Personal Data

Article 32(1)(a)

Encryption is the first specific technical measure Article 32 names. Regulators treat unencrypted devices carrying personal data as a critical aggravating factor in breach investigations, and the Garante in particular has issued repeated corrective orders citing missing encryption.

Zecurit Endpoint Manager

BitLocker Management enforces drive encryption across every managed Windows endpoint from a central console, supporting TPM-only, TPM+PIN, and passphrase authentication modes. Recovery keys are backed up automatically, and BitLocker Compliance Reports identify any unprotected devices, giving you the demonstrable encryption coverage Article 32(1)(a) requires.

BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports
Requirement 02

Access Controls and Confidentiality

Article 32(1)(b)

Article 32(1)(b) requires the ability to ensure the ongoing confidentiality of processing systems, meaning personal data can be accessed, altered, or disclosed only by those explicitly authorised to do so, acting within the scope of that authority.

Zecurit Endpoint Manager

Configuration Management's User and Group Management lets IT teams create, modify, and disable local user accounts remotely and enforce password policy from a central console. Remote Access sessions require explicit session confirmation from the end user and are governed by role-based access controls, with full session logging supporting the confidentiality and accountability this requirement demands.

User and Group ManagementRole-Based AccessSession Confirmation and Audit
Requirement 03

Integrity of Personal Data and Processing Systems

Article 32(1)(b)

The same provision requires the ability to ensure ongoing integrity, meaning protection against unauthorised or accidental alteration of personal data and the systems that process it.

Zecurit Endpoint Manager

Security Alerts flag the moment antivirus or antimalware protection is disabled on any endpoint, a primary vector for unauthorised data alteration. Hardware and software change alerts detect unexpected configuration drift, and Configuration Management enforces consistent security baselines so endpoints cannot silently move out of a compliant state.

Security AlertsHardware/Software Change AlertsConfiguration Management
Requirement 04

Preventing Unauthorised Data Exfiltration

Supports Article 32(1)(a)-(b)

Confidentiality is only as strong as the channels through which data can leave a device. Removable storage, unmanaged Bluetooth transfers, and unauthorised peripherals remain common, and largely preventable, routes for personal data leakage that purely network-based controls cannot fully address.

Zecurit Endpoint Manager

Device Control enforces allow, block, or trusted-only policies for removable storage, Bluetooth, wireless adapters, and Windows Portable Devices, including BadUSB keystroke injection prevention. Policies are enforced even when endpoints are offline, and every connection attempt and blocked event is logged with a timestamp and user account.

Device ControlUSB/Removable Storage PoliciesOffline Policy Enforcement
Requirement 05

Availability and Resilience

Article 32(1)(b)-(c)

Article 32 requires the ability to ensure ongoing availability and resilience of processing systems, along with the ability to restore access to personal data promptly following a physical or technical incident.

Zecurit Endpoint Manager

Remote Access and Troubleshooting Tools let engineers diagnose and resolve device issues without physical access, minimising downtime to processing systems. Remote Power Management supports forced restarts, Wake on LAN, and remote recovery actions, helping restore device availability quickly after a disruption, exactly the resilience capability this provision requires.

Remote Access and ToolsRemote Power ManagementWake on LAN
Requirement 06

Regular Testing and Evaluation of Measures

Article 32(1)(d)

Article 32(1)(d) requires a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures, rather than implementing controls once and assuming they remain effective indefinitely.

Zecurit Endpoint Manager

Vulnerability Management continuously maps installed software against known CVEs, while Patch Management ranks missing patches using CVSS scores and active exploit intelligence. This turns Article 32(1)(d)'s testing requirement into a continuous, automated process rather than an annual checkbox exercise.

Vulnerability ManagementPatch ManagementCVSS Prioritisation
Requirement 07

Device Inventory and Risk Assessment

Supports Article 32(1), Article 35 (DPIAs)

Article 32's risk-based approach, and the Data Protection Impact Assessments required under Article 35 for high-risk processing, both depend on knowing exactly what devices exist, where they are, and what data-handling software runs on them. The 2026 Thales Data Threat Report found that only a third of organisations have complete knowledge of where their data is stored.

Zecurit Endpoint Manager

Hardware Inventory and Software Inventory maintain real-time visibility into every managed device and the applications running on it. Asset Discovery auto-onboards new devices the moment they connect, closing the visibility gap that undermines so many risk assessments before they even begin.

Hardware InventorySoftware InventoryAsset Discovery
Requirement 08

72-Hour Breach Notification Readiness

Articles 33-34

Organisations must report personal data breaches to their lead supervisory authority within 72 hours of becoming aware of the incident, and notify affected individuals without undue delay where the breach poses a high risk to their rights and freedoms.

Zecurit Endpoint Manager

Real-time Monitoring and Alerts flag security incidents the moment they occur rather than during a periodic scan, while Device Control logs give incident response teams the forensic detail needed to scope a breach quickly. Faster detection is the precondition for meeting a 72-hour notification clock at all.

Real-Time Monitoring and AlertsAudit Device LogsCertificate Alerts
Requirement 09

Demonstrable Compliance and Audit Evidence

Supports Article 5(2), Article 24, Article 83(2)

GDPR's accountability principle requires controllers to demonstrate compliance, not merely claim it. When calculating fines, regulators explicitly weigh whether an organisation can produce evidence of its technical and organisational measures, and how quickly. Reconstructing that evidence after an incident is consistently treated as an aggravating factor.

Zecurit Endpoint Manager

Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for GDPR, ISO 27001, HIPAA, PCI-DSS, CIS, and NIST. Scheduled Report Delivery emails these reports automatically in PDF, CSV, or XLS format, building a continuous, exportable compliance record that turns evidence production into minutes rather than weeks.

100+ Compliance ReportsGDPR Report TemplatesScheduled Report Delivery

GDPR Article 32 Requirements and Zecurit Endpoint Manager Capabilities

A consolidated reference mapping each Article 32 requirement to the relevant Zecurit features, useful for DPIA documentation and supervisory authority audits.

GDPR RequirementZecurit Endpoint Manager Capability
Encryption (Art. 32(1)(a))BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports
Access Controls / Confidentiality (Art. 32(1)(b))User and Group ManagementRole-Based AccessSession Confirmation and Audit
Integrity of Systems and Data (Art. 32(1)(b))Security AlertsHardware/Software Change AlertsConfiguration Management
Preventing Data ExfiltrationDevice ControlUSB/Removable Storage PoliciesOffline Policy Enforcement
Availability and Resilience (Art. 32(1)(b)-(c))Remote Access and ToolsRemote Power ManagementWake on LAN
Regular Testing (Art. 32(1)(d))Vulnerability ManagementPatch ManagementCVSS Prioritisation
Device Inventory and Risk AssessmentHardware InventorySoftware InventoryAsset Discovery
72-Hour Breach Notification (Art. 33-34)Real-Time Monitoring and AlertsAudit Device LogsCertificate Alerts
Demonstrable Compliance (Art. 5(2), 24)100+ Compliance ReportsGDPR Report TemplatesScheduled Report Delivery

Article 32 Compliance Is Proven on the Endpoint, Not on Paper

GDPR's security requirement was deliberately written as a principle rather than a checklist, and that flexibility is precisely why so many enforcement actions hinge on it. Regulators are no longer asking whether a security programme exists; they are asking whether its controls actually matched the risk of the data being processed, and whether the organisation can prove it.

That proof lives at the endpoint: encrypted drives, controlled peripherals, monitored access, and patched systems, continuously enforced rather than documented once and forgotten.

Zecurit Endpoint Manager addresses Article 32's core technical measures from a single lightweight agent and unified console, giving IT and compliance teams the encryption, access control, monitoring, and audit-ready reporting that supervisory authorities expect to see, without assembling evidence from a dozen disconnected tools after the fact.

About Zecurit

Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.

To learn more about Zecurit Endpoint Manager and how it supports your GDPR compliance programme, start a free 14-day trial or contact the Zecurit team.

Contact Zecurit