Subscribe to the Non-Human & AI Identity Journal

Article 32 Controls

Article 32 controls are the technical and organisational measures required to protect personal data. In practice they include encryption, access control, logging, resilience, and testing, all of which must be appropriate to risk and demonstrable when reviewed by auditors or regulators.

Expanded Definition

Article 32 controls are not a single control, but a risk-based set of measures that organisations must choose, combine, and evidence based on the sensitivity of the personal data they process and the realistic threats they face. In practice, this makes Article 32 closer to a governance obligation than a checklist, especially when personal data flows through cloud services, service accounts, or automated agents. The standard expectation is that technical and organisational safeguards should cover confidentiality, integrity, availability, and resilience, with testing and review proving that those safeguards still work as systems change. That aligns closely with the risk-management language used in the NIST Cybersecurity Framework 2.0, even though Article 32 itself is a legal requirement rather than a security standard. For NHI-heavy environments, Article 32 often becomes the bridge between privacy law and identity control design, because service accounts, API keys, and automation tokens can expose personal data just as directly as human credentials. The most common misapplication is treating Article 32 as a static policy exercise, which occurs when teams write controls once but cannot show how they are measured, tested, or adapted to actual processing risk.

Examples and Use Cases

Implementing Article 32 controls rigorously often introduces operational friction, requiring organisations to weigh stronger assurance against slower change cycles and more documentation overhead.

  • Encrypting personal data at rest and in transit, then maintaining key management procedures that match the system’s risk profile.
  • Restricting access to records through role-based or attribute-based controls, while logging every privileged action for later review.
  • Testing backup, restore, and incident recovery paths so resilience claims can be demonstrated rather than assumed.
  • Applying tighter controls to service accounts that process personal data, especially where secrets are stored or rotated outside a secrets manager; this is a common NHI governance concern highlighted in Ultimate Guide to NHIs — Standards.
  • Using security reviews to confirm that logging, retention, and access restrictions remain proportionate as processing changes across cloud, SaaS, and CI/CD pipelines.

These examples map well to the risk-based posture described in the NIST Cybersecurity Framework 2.0, where protective and detective measures are expected to work together rather than in isolation.

Why It Matters for Security Teams

Article 32 matters because regulators do not accept intent as evidence. Security teams must show that controls are appropriate to the actual processing environment, and that includes identity paths that are often overlooked in privacy programmes. In NHI-heavy estates, a service account with broad access to personal data can defeat otherwise strong perimeter controls, which is why NHI governance belongs in Article 32 discussions even when the legal team leads the review. NHI Mgmt Group has found that only 5.7% of organisations have full visibility into their service accounts, which helps explain why control gaps persist in audit evidence and incident response. That lack of visibility makes it difficult to prove access limitation, revocation, and logging for automated workloads. Article 32 also reinforces operational resilience: if an organisation cannot restore systems, rotate secrets, or prove that monitoring works after an event, its privacy posture is weak even if policies exist. Security teams often encounter Article 32 as a hard requirement only after a breach, when auditors ask for proof of protection and the organisation cannot demonstrate it cleanly. For deeper operational context, NHI teams often align their evidence packs with Ultimate Guide to NHIs — Standards while keeping control design consistent with NIST Cybersecurity Framework 2.0.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC Article 32 control sets map to access control and protective safeguards.
OWASP Non-Human Identity Top 10 NHI-02 Secret storage and lifecycle weaknesses directly affect Article 32 compliance evidence.

Use PR.AC to define least-privilege access, authentication, and logging for personal data systems.