GDPR Article 32 and the security of processing
The General Data Protection Regulation governs how organisations handle personal data. Article 32, the security of processing, requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. It names examples including encryption of personal data and the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.
For a website that handles personal data, those measures translate into concrete web facing controls. Encrypting personal data in transit with TLS, enforcing HTTPS with HSTS, applying security headers such as Content Security Policy, and securing cookies with the Secure, HttpOnly, and SameSite flags all support the confidentiality and integrity that Article 32 expects. SiteSecurityScore is a free scanner that grades exactly these web facing controls, so you can assess and evidence them in one pass.
Be clear about scope. A header scan covers the technical web security slice of GDPR. It does not establish lawful basis, data subject rights, or consent. Cookies also fall under the ePrivacy rules and consent, which are separate legal matters. SiteSecurityScore does not make you GDPR compliant, and nothing on this page is legal advice. Confirm your obligations with your Data Protection Officer or legal counsel.
GDPR requirement mapping: what SiteSecurityScore covers
This table maps common GDPR security expectations to what a SiteSecurityScore scan can actually help with. The honest answer is that it covers the web and transport security layer well and leaves the legal, consent, and governance layers to your team.
Technical measures SiteSecurityScore helps evidence
| Requirement | SiteSecurityScore |
|---|---|
Encryption of personal data in transit (TLS) and enforced HTTPS (HSTS) Checks TLS configuration, certificate validity, and the Strict-Transport-Security header so personal data is protected in transit. | Covered |
Appropriate technical measures for web application security (security headers, CSP) Analyses Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy to reduce XSS, clickjacking, and data leakage risk. | Covered |
Secure cookies (Secure, HttpOnly, SameSite) as part of confidentiality and integrity Audits cookie security flags so session and personal data cookies resist interception and cross-site request forgery. | Covered |
Ongoing assessment of security measures (Article 32(1)(d)) Daily monitoring re-scans your web security posture and alerts on changes, with timestamped PDF reports as a recurring record. | Covered |
GDPR obligations SiteSecurityScore does not cover
| Requirement | SiteSecurityScore |
|---|---|
Cookie consent, consent banners, and lawful basis for processing This is a legal and consent management matter under the ePrivacy rules, not a header scan. SiteSecurityScore checks cookie security flags, not whether valid consent was obtained. | Not covered |
Data subject rights, data processing agreements, and records of processing Access, erasure, portability, DPAs, and records of processing activities are governance and process obligations that a security scanner cannot establish or evidence. | Not covered |
How SiteSecurityScore helps your GDPR technical measures
A scan turns the abstract phrase appropriate technical measures into a concrete checklist for the web facing layer. Here is where SiteSecurityScore directly supports the security of processing that Article 32 expects.
Encryption of personal data in transit
Verifies TLS configuration, certificate validity, and the HSTS header so personal data submitted through your site is encrypted and HTTPS is enforced.
Web application security headers
Grades Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy to reduce the risk of XSS, clickjacking, and data leakage.
Cookie security flags
Audits Secure, HttpOnly, and SameSite on every cookie so session and personal data cookies resist interception and cross-site request forgery. This is cookie security, not cookie consent.
DNS, CORS, and disclosure checks
Reviews DNS records, CORS configuration, and security.txt so the wider surface of your domain stays consistent with the confidentiality you are expected to maintain.
Timestamped PDF reports
Generates dated reports of your web security posture that you can keep as supporting evidence that you assess and maintain technical measures over time.
Letter grade and fixes
Returns a letter grade with copy and paste fixes, plus a REST API, browser extension, and MCP connector so you can build the checks into your own workflows.
Ongoing assessment with daily monitoring
Article 32(1)(d) expects a process for regularly testing, assessing, and evaluating the effectiveness of your technical measures. A one time scan shows a snapshot. Continuous checks show a process.
SiteSecurityScore daily monitoring re-scans your TLS configuration, security headers, and cookie flags every day and emails you when something changes or regresses. Paired with timestamped PDF reports, that gives you a recurring record that you are reviewing the web facing layer of your security posture over time. It supports the ongoing assessment expectation for that layer, and it leaves the organisational measures and legal reviews to your team.
Automated daily re-scans
Every monitored site is checked once per day across TLS, headers, and cookie security.
Alerts on regressions
Get an email when a header is removed, a certificate nears expiry, or a cookie flag changes.
Grade your web security technical measures
Run a free scan and see where your TLS encryption, security headers, and cookie security flags stand. Use the report as one input toward the appropriate technical measures GDPR Article 32 expects. No account required.
Start scanningFrequently asked questions
Does SiteSecurityScore make my site GDPR compliant?
No. GDPR compliance is mostly about lawful basis for processing, data subject rights, consent management, data processing agreements, records of processing, and internal governance, none of which a header scan can establish. SiteSecurityScore helps with one specific slice of GDPR, the appropriate technical measures for web and transport security that Article 32 expects. It evidences encryption in transit, security headers, and cookie security flags, but it does not and cannot make you fully GDPR compliant. This page is not legal advice.
Does SiteSecurityScore check cookie consent or consent banners?
No. SiteSecurityScore checks cookie security flags such as Secure, HttpOnly, and SameSite, which relate to the confidentiality and integrity of cookies. It does not check whether you obtained valid consent, whether your consent banner is lawful, or whether cookies fire before consent is given. Cookie consent sits under the ePrivacy rules and consent management, which is a legal and process matter handled by a consent management platform and your legal team, not a security header scan.
What does GDPR Article 32 require for web security?
Article 32 requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. It names examples including encryption of personal data, the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, and a process for regularly testing, assessing, and evaluating the effectiveness of those measures. For a website, that translates into things like encrypting personal data in transit with TLS, enforcing HTTPS with HSTS, applying security headers, and securing cookies. SiteSecurityScore helps you assess and evidence those web facing measures.
How does SiteSecurityScore help with the ongoing assessment GDPR expects?
Article 32(1)(d) expects a process for regularly testing, assessing, and evaluating the effectiveness of your technical measures. SiteSecurityScore offers daily automated monitoring that re-scans your TLS configuration, security headers, and cookie flags every day and emails you when something changes or regresses. Paired with timestamped PDF reports, that gives you a recurring record that you are reviewing your web security posture over time, which supports the ongoing assessment expectation for the web facing layer.
Can I use SiteSecurityScore reports as evidence for a GDPR audit?
You can use SiteSecurityScore PDF reports and monitoring history as supporting evidence that you assess and maintain web and transport security, which is part of the appropriate technical measures Article 32 expects. Treat it as one input among many. A full GDPR audit also covers lawful basis, data subject rights, data processing agreements, breach processes, and records of processing, which sit outside what a security scanner can show. Confirm what your auditor or Data Protection Officer needs.
Is encryption in transit enough to satisfy GDPR?
No. Encryption of personal data in transit using TLS, enforced with HSTS, is one of the technical measures Article 32 names as an example, and SiteSecurityScore checks it, but GDPR asks for measures appropriate to the risk across the whole lifecycle of processing. That can include encryption at rest, access controls, backups, pseudonymisation, vendor management, and organisational measures that a web scan does not see. Encryption in transit is necessary for most sites that handle personal data, but it is not sufficient on its own.