19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.
☐ We undertake an analysis of the risks presented by our processing, and use this to assess the appropriate level of security we need to put in place.
☐ When deciding what measures to implement, we take account of the state of the art and costs of implementation.
☐ We have an information security policy (or equivalent) and take steps to make sure the policy is implemented.
☐ Where necessary, we have additional policies and ensure that controls are in place to enforce them.
☐ We make sure that we regularly review our information security policies and measures and, where necessary, improve them.
☐ We have assessed what we need to do by considering the security outcomes we want to achieve.
☐ We have put in place basic technical controls such as those specified by established frameworks like Cyber Essentials.
☐ We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal data we process.
☐ We use encryption and/or pseudonymisation where it is appropriate to do so.
☐ We understand the requirements of confidentiality, integrity and availability for the personal data we process.
☐ We make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
☐ We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.
☐ Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism.
☐ We ensure that any data processor we use also implements appropriate technical and organisational measures.
Article 5(1)(f) of the UK GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be:
'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'
You can refer to this as the UK GDPR’s ‘security principle’. It concerns the broad concept of information security.
This means that you must have appropriate security in place to prevent the personal data you hold being accidentally or deliberately compromised. You should remember that while information security is sometimes considered as cybersecurity (the protection of your networks and information systems from attack), it also covers other things like physical and organisational security measures.
You need to consider the security principle alongside Article 32 of the UK GDPR, which provides more specifics on the security of your processing. Article 32(1) states:
‘Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’
Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals – lives may even be endangered in some extreme cases.
Some examples of the harm caused by the loss or abuse of personal data include:
Although these consequences do not always happen, you should recognise that individuals are still entitled to be protected from less serious kinds of harm, for example embarrassment or inconvenience.
Information security is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the UK GDPR.
The ICO is also required to consider the technical and organisational measures you had in place when considering an administrative fine.
The security principle goes beyond the way you store or transmit information. Every aspect of your processing of personal data is covered, not just cybersecurity. This means the security measures you put in place should seek to ensure that:
These are known as ‘confidentiality, integrity and availability’ and under the UK GDPR, they form part of your obligations.
The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.
This reflects both the UK GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security. It means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents to your organisation.
So, before deciding what measures are appropriate, you need to assess your information risk. You should review the personal data you hold and the way you use it in order to assess how valuable, sensitive or confidential it is – as well as the damage or distress that may be caused if the data was compromised. You should also take account of factors such as:
We cannot provide a complete guide to all aspects of security in all circumstances for all organisations, but this guidance is intended to identify the main points for you to consider.
Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. You should aim to build a culture of security awareness within your organisation. You should identify a person with day-to-day responsibility for information security within your organisation and make sure this person has the appropriate resources and authority to do their job effectively.
Example
The Chief Executive of a medium-sized organisation asks the Director of Resources to ensure that appropriate security measures are in place, and that regular reports are made to the board.
The Resources Department takes responsibility for designing and implementing the organisation’s security policy, writing procedures for staff to follow, organising staff training, checking whether security measures are actually being adhered to and investigating security incidents.
Clear accountability for security will ensure that you do not overlook these issues, and that your overall security posture does not become flawed or out of date.
Although an information security policy is an example of an appropriate organisational measure, you may not need a ‘formal’ policy document or an associated set of policies in specific areas. It depends on your size and the amount and nature of the personal data you process, and the way you use that data. However, having a policy does enable you to demonstrate how you are taking steps to comply with the security principle.
Whether or not you have such a policy, you still need to consider security and other related matters such as:
Technical measures are sometimes thought of as the protection of personal data held in computers and networks. Whilst these are of obvious importance, many security incidents can be due to the theft or loss of equipment, the abandonment of old computers or hard-copy records being lost, stolen or incorrectly disposed of. Technical measures therefore include both physical and computer or IT security.
When considering physical security, you should look at factors such as:
In the IT context, technical measures may sometimes be referred to as ‘cybersecurity’. This is a complex technical area that is constantly evolving, with new threats and vulnerabilities always emerging. It may therefore be sensible to assume that your systems are vulnerable and take steps to protect them.
When considering cybersecurity, you should look at factors such as:
Depending on the sophistication of your systems, your usage requirements and the technical expertise of your staff, you may need to obtain specialist information security advice that goes beyond the scope of this guidance. However, it’s also the case that you may not need a great deal of time and resources to secure your systems and the personal data they process.
Whatever you do, you should remember the following:
A good starting point is to make sure that you’re in line with the requirements of Cyber Essentials – a government scheme that includes a set of basic technical controls you can put in place relatively easily.
You should however be aware that you may have to go beyond these requirements, depending on your processing activities. Cyber Essentials is only intended to provide a ‘base’ set of controls, and won’t address the circumstances of every organisation or the risks posed by every processing operation.
A list of helpful sources of information about cybersecurity is provided below.
Further reading – ICO/NCSC security outcomes
We have worked closely with the NCSC to develop a set of security outcomes that you can use to determine the measures appropriate for your circumstances.
The Accountability Framework looks at the ICO’s expectations in relation to security.
Further reading – ICO guidance
Under the 1998 Act, the ICO published a number of more detailed guidance pieces on different aspects of IT security. Where appropriate, we will be updating each of these to reflect the UK GDPR’s requirements in due course. However, until that time they may still provide you with assistance or things to consider.
Other resources
Some industries have specific security requirements or require you to adhere to certain frameworks or standards. These may be set collectively, for example by industry bodies or trade associations, or could be set by other regulators. If you operate in these sectors, you need to be aware of their requirements, particularly if specific technical measures are specified.
Although following these requirements will not necessarily equate to compliance with the UK GDPR’s security principle, the ICO will nevertheless consider these carefully in any considerations of regulatory action. It can be the case that they specify certain measures that you should have, and that those measures contribute to your overall security posture.
Example
If you are processing payment card data, you are obliged to comply with the Payment Card Industry Data Security Standard . The PCI-DSS outlines a number of specific technical and organisational measures that the payment card industry considers applicable whenever such data is being processed.
Although compliance with the PCI-DSS is not necessarily equivalent to compliance with the UK GDPR’s security principle, if you process card data and suffer a personal data breach, the ICO will consider the extent to which you have put in place measures that PCI-DSS requires particularly if the breach related to a lack of a particular control or process mandated by the standard.
If one or more organisations process personal data on your behalf, then these are data processors under the UK GDPR. This can have the potential to cause security problems – as a data controller you are responsible for ensuring compliance with the UK GDPR and this includes what the processor does with the data. However, in addition to this, the UK GDPR’s security requirements also apply to any processor you use.
This means that:
At the same time, your processor can assist you in ensuring compliance with your security obligations. For example, if you lack the resource or technical expertise to implement certain measures, engaging a processor that has these resources can assist you in making sure personal data is processed securely, provided that your contractual arrangements are appropriate.
Further reading
Pseudonymisation and encryption are specified in the UK GDPR as two examples of measures that may be appropriate for you to implement. This does not mean that you are obliged to use these measures. It depends on the nature, scope, context and purposes of your processing, and the risks posed to individuals.
However, there are a wide range of solutions that allow you to implement both without great cost or difficulty. For example, for a number of years the ICO has considered encryption to be an appropriate technical measure given its widespread availability and relatively low cost of implementation. This position has not altered due to the UK GDPR — if you are storing personal data, or transmitting it over the internet, we recommend that you use encryption and have a suitable policy in place, taking account of the residual risks involved.
When considering what to put in place, you should undertake a risk analysis and document your findings.
In more detail – ICO guidance
Collectively known as the ‘CIA triad’, confidentiality, integrity and availability are the three key elements of information security. If any of the three elements is compromised, then there can be serious consequences, both for you as a data controller, and for the individuals whose data you process.
The information security measures you implement should seek to guarantee all three both for the systems themselves and any data they process.
The CIA triad has existed for a number of years and its concepts are well-known to security professionals.
You are also required to have the ability to ensure the ‘resilience’ of your processing systems and services. Resilience refers to:
This refers to things like business continuity plans, disaster recovery, and cyber resilience. Again, there is a wide range of solutions available here, and what is appropriate for you depends on your circumstances.
You must have the ability to restore the availability and access to personal data in the event of a physical or technical incident in a ‘timely manner’.
The UK GDPR does not define what a ‘timely manner’ should be. This therefore depends on:
The key point is that you have taken this into account during your information risk assessment and selection of security measures. For example, by ensuring that you have an appropriate backup process in place you will have some level of assurance that if your systems do suffer a physical or technical incident you can restore them, and therefore the personal data they hold, as soon as reasonably possible.
Example
An organisation takes regular backups of its systems and the personal data held within them. It follows the well-known ‘3-2-1’ backup strategy: three copies, with two stored on different devices and one stored off-site.
The organisation is targeted by a ransomware attack that results in the data being encrypted. This means that it is no longer able to access the personal data it holds.
Depending on the nature of the organisation and the data it processes, this lack of availability can have significant consequences on individuals – and would therefore be a personal data breach under the UK GDPR.
The ransomware has spread throughout the organisation’s systems, meaning that two of the backups are also unavailable. However, the third backup, being stored off-site, allows the organisation to restore its systems in a timely manner. There may still be a loss of personal data depending on when the off-site backup was taken, but having the ability to restore the systems means that whilst there will be some disruption to the service, the organisation are nevertheless able to comply with this requirement of the UK GDPR.
Yes, the UK GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place. What these tests look like, and how regularly you do them, will depend on your own circumstances. However, it’s important to note that the requirement in the UK GDPR concerns your measures in their entirety, therefore whatever ‘scope’ you choose for this testing should be appropriate to what you are doing, how you are doing it, and the data that you are processing.
Technically, you can undertake this through a number of techniques, such as vulnerability scanning and penetration testing. These are essentially ‘stress tests’ of your network and information systems, which are designed to reveal areas of potential risk and things that you can improve.
In some industries, you are required to undertake tests of security measures on a regular basis. The UK GDPR now makes this an obligation for all organisations. Importantly, it does not specify the type of testing, nor how regularly you should undertake it. It depends on your organisation and the personal data you are processing.
You can undertake testing internally or externally. In some cases it is recommended that both take place.
Whatever form of testing you undertake, you should document the results and make sure that you act upon any recommendations, or have a valid reason for not doing so, and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach.
If your security measures include a product or service that adheres to a UK GDPR code of conduct or certification scheme, you may be able to use this as an element to demonstrate your compliance with the security principle. It is important that you check carefully that the code or certification scheme has been approved by the ICO.
Further reading
The GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so. It is therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policy and put its procedures into practice.
You should provide appropriate initial and refresher training, including:
Your staff training will only be effective if the individuals delivering it are themselves reliable and knowledgeable.
Other resources
The NCSC has detailed technical guidance in a number of areas that will be relevant to you whenever you process personal data. Some examples include:
The government has produced relevant guidance on cybersecurity:
Technical guidance produced by the European Union Agency for Network and Information Security (ENISA) may also assist you: