The state of the art requirement for GDPR security measures

Article 32 of the GDPR sets out the security obligations for controllers and processors with regards to personal data processing. It stipulates that they shall take ‘appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. One of the elements to assess the appropriateness of the measures is ‘the state of the art’. This panel will inquire into the practical and theoretical aspects of ‘the state of the art’ notion, both from a legal and a technical perspective, aided by practical experience from the industry. This should contribute to a better understanding of challenges and potential solutions.

• How do practitioners and data protection authorities interpret ‘state of the art’ requirements, and what could this mean for the interpretation of art. 32 GDPR?
• How could information security technical standards determine the meaning of ‘the state of the art’, and, as a result, the obligations that stem from Article 32?  
• What impact could technical innovation in digital security have on these obligations; at what point should they be considered ‘state of the art’?
• What is the role of economic arguments in the context of the ‘state of the art’ requirement?
• What role could certification play in complying with the state of the art requirement?

‍