Practice guide for the security of personal data : 2024 edition

26 March 2024

The practice guide for the security of personal data aims at reminding the safety measures to be put in place. This new version overhauls the previous guide and introduces new factsheets, including ones on artificial intelligence, mobile applications, cloud computing and application programming interfaces (APIs).

What is in the guide ?

The security obligation regarding the processing of personal data, enshrined in French law since 1978, has been reinforced by the GDPR. It might however be difficult, especially when unfamiliar with risk management methods, to implement such initiative and to ensure that the appropriate and necessary actions have been taken.

« The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. » - Article 32 GDPR 


Through these factsheets, the CNIL’s practice guide for the security of personal data recalls both the elementary precautions that should be taken as well as the security measures intended for reinforcing data protection.

What is new in the 2024 edition?

For this edition:

  • The guide has been structured in 5 parts in order to streamline the browsing between its 25 factsheets.
  • 5 new factsheets have been created. They are mainly based on content the CNIL has already published elsewhere regarding:
    • Cloud computing;
    • Mobile applications;
    • Artificial intelligence;
    • Application programming interfaces (API);
    • Data management security.
  • Current practices, such as the use of personally owned equipment in the workplace (BYOD), have enhanced already existing factsheets.
  • Factsheets that were dealing with a range of different subjects have been split and developed more thoroughly.

Additional and more sparse updates and improvements have been made in order to keep up with threats’ evolutions and knowledge’s development.

Who is this guide for?

This guide is a reference whom data protection officers (DPO), chief information security officers (CISO), computer scientists or legal experts may use in the context of their activities for data security. This guide is also a reference used by the CNIL in order to asses the security of personnal data processing.