ArchRails
Control template: GDPR Article 32 (security of processing)
Status: Public Beta · Version: gdpr/v0.1.0-beta
A bundle of CALM control snippets covering the architecturally
enforceable subset of GDPR Article 32 (security of processing
of personal data). You copy these into your *.calm.json files on
the nodes that process personal data of EU/UK data subjects.
Who GDPR applies to
Any organization that processes personal data of EU/UK data subjects, regardless of the organization's location (extraterritorial scope under Art. 3). Common categories: - EU/UK established controllers and processors - Non-EU companies offering goods/services to EU/UK residents - Non-EU companies monitoring behavior of EU/UK residents - Public-sector bodies processing personal data - Cloud providers acting as processors for EU controllers
Brexit note: UK GDPR (the onshored regime) is substantially aligned with EU GDPR; this template uses EU naming conventions but the architectural surface is the same. The Data Protection Act 2018 + UK GDPR is the UK authoritative source.
What this template covers
GDPR Art. 32 lists technical and organizational measures, including: - pseudonymisation and encryption (Art. 32(1)(a)) - ongoing confidentiality, integrity, availability, and resilience (Art. 32(1)(b)) - ability to restore data after an incident (Art. 32(1)(c)) - regular testing of measures (Art. 32(1)(d))
The architectural slice maps to ~10 controls. Plus related obligations from Art. 30 (RoPA), Art. 33 (breach notification), Art. 25 (data protection by design), and Art. 28 (processor contracts) where they have an architectural surface.
| GDPR citation | Architectural surface | Control alias |
|---|---|---|
| Art. 30 | Record of Processing Activities | gdpr-record-of-processing |
| Art. 25 | Data protection by design + default | gdpr-privacy-by-design |
| Art. 32(1)(a) | Pseudonymisation / encryption at rest | gdpr-encryption-at-rest |
| Art. 32(1)(a) | Encryption in transit | gdpr-encryption-in-transit |
| Art. 32(1)(b) | Access restriction (need-to-know) | gdpr-access-restriction |
| Art. 32(1)(b) | Audit logging on personal-data access | gdpr-access-logging |
| Art. 32(1)(c) | Backup + restoration | gdpr-backup-restoration |
| Art. 32(1)(d) | Periodic testing of measures | gdpr-measures-testing |
| Art. 33 | Breach notification pipeline | gdpr-breach-notification |
| Art. 28 + Chapter V | Processor + international-transfer mapping | gdpr-processor-transfer-mapping |
| Art. 17 + Art. 5(1)(e) | Data retention + erasure | gdpr-retention-and-erasure |
11 architectural controls covering the GDPR surfaces that have implementation-shaped requirements. GDPR is heavy on process and contractual obligations (DPIA, DSAR handling, controller-processor agreements, etc.) that are NOT architectural — document those in your firm's privacy program, not your CALM.
The "personal-data-scope" pattern
A node is in GDPR scope if it processes personal data of EU/UK data subjects. Tag those nodes:
{
"unique-id": "customer-records-service",
"node-type": "service",
"name": "Customer Records Service",
"metadata": {
"gdpr-in-scope": true,
"data-categories": ["contact-data", "transaction-history"],
"special-categories-processed": false,
"data-classification": "personal-data"
}
}
If you process special categories (Art. 9 — health, biometric,
political opinion, religious belief, sex life, etc.) flip
special-categories-processed: true; stricter expectations apply.
Control snippets
Copy each block under the controls key of the node it applies to.
Art. 30 — Record of Processing Activities (gdpr-record-of-processing)
Graph-level. Every controller and processor maintains a RoPA. This control declares that the firm's RoPA is maintained and includes this node's processing activities.
"metadata": {
"controls": {
"gdpr-record-of-processing": {
"description": "GDPR Art. 30 — Record of Processing Activities. The firm maintains a comprehensive RoPA covering all processing activities, including those performed by this node.",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/record-of-processing",
"config": {
"control-id": "gdpr-record-of-processing",
"ropa-document-url": "https://internal.example.com/gdpr/ropa",
"responsible-role": "dpo",
"review-frequency": "annual-and-on-significant-change",
"ropa-entry-id": "ROPA-2025-CUSTOMER-RECORDS"
}
}
]
}
}
}
Art. 25 — Privacy by design + default (gdpr-privacy-by-design)
Per-node.
"gdpr-privacy-by-design": {
"description": "GDPR Art. 25 — data protection by design and by default. Privacy-preserving defaults; only the personal data necessary for the specific purpose is processed.",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/privacy-by-design",
"config": {
"control-id": "gdpr-privacy-by-design",
"data-minimization-applied": true,
"pseudonymization-where-possible": true,
"opt-in-defaults-for-non-essential": true,
"purpose-limitation-enforced": true,
"design-review-document-url": "https://internal.example.com/gdpr/design-reviews"
}
}
]
}
Art. 32(1)(a) — Encryption at rest (gdpr-encryption-at-rest)
Per-node.
"gdpr-encryption-at-rest": {
"description": "GDPR Art. 32(1)(a) — pseudonymisation and encryption of personal data at rest as a measure proportionate to the risk.",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/encryption-at-rest",
"config": {
"control-id": "gdpr-encryption-at-rest",
"algorithm": "AES-256-GCM",
"key-management": "hsm-or-kms-cmk",
"key-rotation-days": 365,
"pseudonymization-tokens-for-direct-identifiers": true
}
}
]
}
Art. 32(1)(a) — Encryption in transit (gdpr-encryption-in-transit)
Relationship-level.
"controls": {
"gdpr-encryption-in-transit": {
"description": "GDPR Art. 32(1)(a) — encryption of personal data in transit.",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/encryption-in-transit",
"config": {
"control-id": "gdpr-encryption-in-transit",
"minimum-tls-version": ["1.2", "1.3"],
"forbidden-protocols": ["http", "ftp", "telnet", "smtp-plain", "ws"]
}
}
]
}
}
Art. 32(1)(b) — Access restriction (gdpr-access-restriction)
Per-node.
"gdpr-access-restriction": {
"description": "GDPR Art. 32(1)(b) — ongoing confidentiality of personal-data processing. Access restricted to authorized personnel on a need-to-know basis.",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/access-restriction",
"config": {
"control-id": "gdpr-access-restriction",
"authentication": "saml-sso-plus-mfa",
"authorization": "rbac-need-to-know",
"allowed-roles": ["customer-success-read", "support-escalation", "data-analyst-aggregated-only"],
"review-frequency": "quarterly"
}
}
]
}
Art. 32(1)(b) — Access logging (gdpr-access-logging)
Per-node.
"gdpr-access-logging": {
"description": "GDPR Art. 32(1)(b) — logging of access to personal data sufficient to detect anomalies and support DSAR / breach investigation.",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/access-logging",
"config": {
"control-id": "gdpr-access-logging",
"events": ["read", "write", "export", "deletion", "auth-success", "auth-failure"],
"destination": "centralized-siem",
"immutable": true,
"retention-days": 730
}
}
]
}
Art. 32(1)(c) — Backup + restoration (gdpr-backup-restoration)
Per-node.
"gdpr-backup-restoration": {
"description": "GDPR Art. 32(1)(c) — ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/backup-restoration",
"config": {
"control-id": "gdpr-backup-restoration",
"rpo-minutes": 60,
"rto-minutes": 240,
"backup-encryption-at-rest": true,
"restoration-test-frequency": "semi-annual",
"last-restoration-test-date": "2025-04-12"
}
}
]
}
Art. 32(1)(d) — Periodic testing (gdpr-measures-testing)
Graph-level.
"metadata": {
"controls": {
"gdpr-measures-testing": {
"description": "GDPR Art. 32(1)(d) — process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures.",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/measures-testing",
"config": {
"control-id": "gdpr-measures-testing",
"frequency": "annual",
"scope": ["encryption-effectiveness", "access-control-review", "logging-completeness", "backup-restoration"],
"evidence-document-url": "https://internal.example.com/gdpr/measures-testing"
}
}
]
}
}
}
Art. 33 — Breach notification (gdpr-breach-notification)
Graph-level. Pipeline + responsibilities for the 72-hour breach notification to the supervisory authority.
"metadata": {
"controls": {
"gdpr-breach-notification": {
"description": "GDPR Art. 33 — personal-data breaches notified to the supervisory authority within 72 hours of becoming aware, with documented criteria for what constitutes a notifiable breach.",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/breach-notification",
"config": {
"control-id": "gdpr-breach-notification",
"supervisory-authority": "ICO",
"notification-deadline-hours": 72,
"internal-detection-process-url": "https://internal.example.com/gdpr/breach-detection",
"notification-template-url": "https://internal.example.com/gdpr/breach-template",
"data-subject-notification-criteria-url": "https://internal.example.com/gdpr/data-subject-notification",
"tested-annually": true,
"last-test-date": "2025-03-18"
}
}
]
}
}
}
Art. 28 + Chapter V — Processor + transfer mapping (gdpr-processor-transfer-mapping)
Per-relationship. Attach to edges that send personal data to a third party (processor) or to a non-EU jurisdiction.
"controls": {
"gdpr-processor-transfer-mapping": {
"description": "GDPR Art. 28 (controller-processor) + Chapter V (international transfers). This data flow is governed by a Data Processing Agreement and (when applicable) appropriate transfer safeguards (SCCs, adequacy decision, BCRs).",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/processor-transfer-mapping",
"config": {
"control-id": "gdpr-processor-transfer-mapping",
"counterparty-name": "Acme Cloud Services GmbH",
"counterparty-role": "processor",
"dpa-signed": true,
"dpa-document-url": "https://internal.example.com/gdpr/dpas/acme-cloud",
"international-transfer": false,
"transfer-safeguard": "n/a",
"data-categories-transferred": ["contact-data", "transaction-history"]
}
}
]
}
}
For non-EU transfers, populate international-transfer: true and
transfer-safeguard with one of: adequacy-decision,
standard-contractual-clauses-2021, binding-corporate-rules,
or derogation-art-49.
Art. 17 + Art. 5(1)(e) — Retention + erasure (gdpr-retention-and-erasure)
Per-node.
"gdpr-retention-and-erasure": {
"description": "GDPR Art. 5(1)(e) storage-limitation principle + Art. 17 right to erasure. Documented retention period + automated erasure path for personal data at end of retention OR on a valid erasure request.",
"requirements": [
{
"requirement-url": "https://archrails.io/catalog/req/gdpr/retention-and-erasure",
"config": {
"control-id": "gdpr-retention-and-erasure",
"retention-policy-url": "https://internal.example.com/gdpr/retention-policy",
"max-retention-days": 1095,
"automated-erasure-on-policy-expiry": true,
"erasure-on-request-sla-days": 30,
"erasure-evidence-logged": true
}
}
]
}
What the engine enforces
Same constraint engine that handles PCI / DORA / SOX / HIPAA / SOC 2 / MiFID / your own controls. Per-rule behavior:
- Presence-shape rules (encryption-at-rest, access-restriction,
access-logging, etc.): the engine fires a finding when a node
tagged
gdpr-in-scope: truedoes NOT declare the corresponding control. - Value-constrained rules (retention-days, TLS version, RPO/RTO, notification deadline): the engine checks the config value.
- Relationship-level rules (encryption-in-transit, processor mapping): the engine walks edges and fires when a personal-data-carrying edge lacks the required attestation.
All deterministic — pure function over your CALM JSON.
Auto-include during bootstrap (coming)
A future release will let archrails bootstrap detect EU-touching
repos and offer to auto-include this template.
Versioning
This is gdpr/v0.1.0-beta. Pre-1.0 = beta. Bumps to v1.0.0 per
the GA criteria above. Updates as EDPB guidelines or DPA enforcement
priorities materially shift expectations.
Out of scope for this template
- Legal basis for processing (Art. 6 + Art. 9) — declaration is procedural, not architectural. Document in your RoPA.
- DSAR (Data Subject Access Request) handling — operational workflow, not architectural. (Though the access-logging control above supports DSAR completeness.)
- DPIA (Data Protection Impact Assessment) — Art. 35 — process / methodology, not architectural.
- Controller-processor contract terms (Art. 28) — legal agreement; the template records the existence + reference URL of the DPA but does not enforce contract terms.
- International transfer safeguards (SCCs, BCRs) — legal arrangements; template records which safeguard applies but does not enforce contract terms.
- Cookies + e-privacy (ePrivacy Directive) — separate framework; potentially a sub-template.
For those surfaces, pair this template with your privacy program documentation and engage a qualified DPO or privacy law firm.