What Are the GDPR Security Requirements Developers Need to Follow?
Written by the Rafter Team
GDPR security requirements obligate you to implement "appropriate technical and organisational measures" whenever you process personal data of EU residents. Articles 25 and 32 are the two provisions that translate directly into engineering work. Article 25 requires data protection by design and by default. Article 32 requires you to ensure a level of security appropriate to the risk. Neither article prescribes specific technologies — they define outcomes you must achieve, and EU Data Protection Authorities judge your compliance by whether your technical choices were reasonable given what was available.
What GDPR Article 32 Actually Requires
Article 32 lists four specific capabilities you must implement: pseudonymisation and encryption of personal data, the ability to ensure ongoing confidentiality, integrity, and availability, the ability to restore access to data after an incident, and a process for regularly testing and assessing the effectiveness of your technical measures.
That last requirement is the one most development teams miss. Article 32 does not just require you to deploy security controls — it requires you to continuously verify those controls work. Static security configurations that are never tested do not satisfy the regulation.
EU DPAs do not accept "we ran a pentest last year" as ongoing assessment. The Irish DPC fined Meta 1.2 billion euros in 2023 partly because technical safeguards were not continuously evaluated. Regular, automated testing of your security measures is what Article 32(1)(d) demands.
Data Protection by Design Under Article 25
Article 25 requires you to integrate data protection into your system architecture from the start — not bolt it on before launch. In practice, this means minimising the personal data you collect, encrypting data at rest and in transit, implementing access controls that enforce least privilege, and building deletion capabilities that actually purge data when retention periods expire.
DPAs evaluate Article 25 compliance by examining whether you considered data protection during design. If your architecture stores personal data in plaintext because "encryption was going to be added later," that is a violation regardless of whether a breach occurred.
Scan your codebase for GDPR-relevant vulnerabilities with Rafter — detect hardcoded secrets, missing encryption, and data exposure risks in under two minutes.
How EU DPAs Enforce These Requirements
Enforcement follows a pattern. DPAs investigate after a breach notification, a complaint, or a sector-wide audit. They assess whether your technical measures were appropriate at the time of processing — not whether they prevented every possible attack.
Three factors determine whether a DPA considers your measures "appropriate": the state of the art in security technology, the cost of implementation relative to your resources, and the severity of the risk to data subjects. A startup processing email addresses faces different expectations than a health tech company processing medical records. But both must demonstrate they assessed the risk and chose measures proportional to it.
Fines under GDPR can reach 4% of annual global turnover or 20 million euros, whichever is higher. DPAs have consistently issued larger fines where organisations failed to implement measures that were readily available and cost-effective — exactly the category that automated security scanning falls into.
Scanning for Data Protection by Design
Automated security scanning directly addresses multiple GDPR technical requirements. SAST detects hardcoded credentials and insecure cryptographic implementations. SCA identifies vulnerable dependencies that undermine your security posture. Secrets detection catches API keys and database credentials committed to source control.
Running these scans in CI on every pull request creates the continuous assessment process that Article 32 demands. Each scan produces timestamped evidence that your security measures are regularly tested — exactly the audit trail DPAs look for during investigations.
Add Rafter to your pipeline — generate the continuous security evidence GDPR Article 32 requires.