GDPR Article 32: How to Prove You Share Documents Securely

GDPR Article 32 requires organisations to implement appropriate technical and organisational security measures when processing personal data. For finance teams that share documents externally, this means encrypting data in transit and at rest, controlling who can access documents, and maintaining records that prove your security measures are in place. This article explains exactly what Article 32 demands and how to demonstrate compliance.

What Article 32 Actually Requires

Article 32(1) lists the measures controllers and processors must consider, taking into account the state of the art, implementation costs, and the risks posed by the processing. These include:

• Pseudonymisation and encryption of personal data
• The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
• The ability to restore access to personal data in a timely manner after a physical or technical incident
• A process for regularly testing, assessing, and evaluating the effectiveness of security measures

The phrase "appropriate measures" is significant. Regulators do not expect the same controls from a two-person advisory firm as from a systemically important bank. The standard is proportionate to your risk profile, the sensitivity of the data, and the potential harm to data subjects if a breach occurs.

The Four Technical Controls That Satisfy Article 32 for Document Sharing

For teams sharing documents with clients, counterparties, or advisers, four technical controls form the foundation of an Article 32 compliant approach.

Encryption in transit and at rest. Every document transferred over the internet should be encrypted using TLS 1.2 or higher. Documents stored on servers should be encrypted at rest, with AES-256 the current industry standard. If you send documents as email attachments, you have no guarantee that either condition is met.

Access controls. Only authorised recipients should be able to open a document. This means using unique access links rather than publicly accessible URLs, requiring email verification or a password before access is granted, and setting link expiry dates so access cannot persist indefinitely.

Audit logging. Article 32 requires that you can demonstrate your security measures work. An audit log that records who accessed a document, when, from which IP address or location, and for how long provides that evidence. Without it, you cannot prove compliance even if your controls are strong.

Data residency. For EU data subjects, processing their personal data on servers located outside the EEA introduces transfer risk under Chapter V of the GDPR. Hosting documents on EU infrastructure removes this risk and simplifies your compliance position.

SendNow security features panel showing AES-256, access controls and EU hosting compliance badges

Building Your Article 32 Evidence Pack

If a supervisory authority investigates your document sharing practices, they will expect to see evidence, not just assertions. Your evidence pack should include:

1. A Data Processing Agreement with each platform you use to share documents, confirming the processor's security measures.
2. Security configuration records showing that encryption, access controls, and logging are active in your document sharing tool.
3. Sample audit logs demonstrating the level of detail captured for each access event.
4. A risk assessment or DPIA that documents why your chosen measures are appropriate for the categories of data you share.
5. Incident records, even if the incidents were minor, showing that you monitor, detect, and respond to security events.

How a Document Sharing Platform Generates Article 32 Evidence

Using a purpose-built document sharing platform rather than email or general cloud storage simplifies Article 32 compliance considerably. Each shared document link can generate an automatic audit record, and the platform's infrastructure certifications serve as third-party evidence of the technical controls in place.

SendNow audit log as Article 32 evidence record

With SendNow, every document link generates a detailed access log. You can export these logs for any given document and present them as part of your Article 32 evidence pack. Combined with SendNow's AES-256 encryption, EU-hosted infrastructure, and access control defaults, the platform provides the technical layer your organisational measures sit on top of.

Article 32 Compliance Checklist for Document Sharing

For deeper background on audit trails specifically, read How to Maintain a GDPR-Compliant Audit Trail. For the full framework, see our GDPR Document Sharing Complete Guide and AES-256 Encryption for Document Sharing Explained.

Start generating Article 32 evidence today. Every document shared through SendNow is automatically logged, encrypted, and EU-hosted. Visit sendnow.live to see how it works.

---

Frequently Asked Questions

Q: Does Article 32 apply to document sharing as well as stored data? A: Yes. Article 32 applies to all processing of personal data, which includes transferring documents containing personal data to external parties. The act of sharing is a processing activity and must meet the same security standard as storage.

Q: What does "appropriate" security mean under Article 32? A: Appropriateness is assessed against the risks. For finance teams sharing confidential client data, the risk level is high, so the standard of security measures expected is correspondingly high. AES-256 encryption, access controls, and audit logging represent current best practice for this risk level.

Q: Can I rely on a recipient's security if I send them a document? A: No. Once a document leaves your control, the recipient's security posture is their responsibility. Your obligation under Article 32 is to secure the transfer itself. Using an access-controlled, encrypted link rather than an email attachment limits your exposure once the document is delivered.

Q: Is email encrypted enough for Article 32 compliance? A: Standard email is not sufficient. While TLS encrypts email in transit between servers, attachments are not encrypted at rest on the recipient's server, there is no access logging, and you cannot revoke access once sent. Purpose-built document sharing tools provide significantly stronger controls.

Q: Do we need to update our Article 32 assessment when we change document sharing tools? A: Yes. Article 32 is a living obligation. Changing your document sharing platform is a material change to your processing environment and should trigger a review of your technical measures and, if necessary, an updated DPIA.

Q: What happens if a supervisory authority finds our Article 32 measures inadequate? A: They can issue a corrective order requiring you to improve your measures, and in serious cases can impose an administrative fine of up to 10 million EUR or 2% of global annual turnover under Article 83(4).

Q: Does using a GDPR-compliant vendor automatically satisfy Article 32? A: No. Your vendor's compliance is a necessary but not sufficient condition. You must also configure the tool correctly and implement organisational measures such as staff training and a document sharing policy. Article 32 compliance requires both layers.

Q: How often should we test our document security measures? A: Article 32(1)(d) explicitly requires a process for regularly testing and evaluating security measures. Annual testing is a minimum for most organisations. After any material change to your platform or processing activities, an immediate review is prudent.