At a glance

  • The GDPR requires you to process personal data securely using appropriate technical and organisational measures.
  • What’s appropriate for you will depend not just on your circumstances, but also the data you are processing and the risks posed.
  • You must assess your information security risk and implement appropriate technical controls.
  • The Information Commissioner’s Office and the National Cyber Security Centre (NCSC) have worked together to develop an approach that you can use when making this assessment.
  • It allows you to consider common expectations and either follow existing guidance, use particular services or develop your own processes if you have appropriate knowledge and resources to do so.
  • The approach is based on four aims:
    • managing security risk;
    • protecting personal data against cyber-attack;
    • detecting security events; and
    • minimising the impact.

In brief

What does the GDPR say about security?

The GDPR requires you to process personal data securely. Article 5(1)(f) concerns ‘integrity and confidentiality’ of personal data - in short, it is the GDPR’s ‘security principle’. It states that personal data shall be:

‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’

The aim of this guidance is to describe an overall set of outcomes that are considered ‘appropriate’ to prevent personal data being accidentally or deliberately compromised.

In more detail — ICO guidance

Read our general guidance on security under the GDPR.

 What are the other requirements?

Alongside the security principle, the GDPR contains further specific provisions.

It makes data protection by design a legal requirement (previously known as ‘privacy by design’). Article 25 mandates that, at the time of the determination of the means of the processing (ie the design phase of any processing operation) and at the time of the processing itself, you should put in place appropriate technical and organisational measures designed to implement data protection in an effective manner and to integrate the necessary safeguards into the processing.

Whether you’re a controller or a processor, you also have specific security obligations under Article 32 of the GDPR. These require you to put in place appropriate technical and organisational measures to ensure a level of security of both the processing and your processing environment.

These provisions turn what is considered good security practice into a legal minimum. They go further than the obligations of the Data Protection Act 1998 and introduce established information security concepts into data protection legislation, including:

  • minimisation of personal data collected;
  • managing, limiting and controlling access to personal data;
  • protecting the classic ‘CIA triad’ (confidentiality, integrity, and availability) of personal data;
  • resilience of processing systems and services, and the ability to restore availability and access to personal data; and
  • regular testing of the effectiveness of measures implemented.

The measures you implement should be appropriate to the risk presented.

In more detail — ICO guidance

We have published guidance on data protection by design and security under the GDPR.

How does security relate to the GDPR’s accountability principle and our responsibility as data controllers?

The accountability principle requires you to be able to demonstrate that your processing is done in compliance with the GDPR. Accountability also has direct relevance to your responsibility as a data controller.

You are required to implement appropriate technical and organisational measures to ensure, and be able to demonstrate, that processing of personal data is performed in accordance with the GDPR.

In more detail — ICO guidance

We have published guidance on accountability and governance in this section of the Guide to the GDPR. It covers the accountability principle, contracts, documentation, data protection by design and by default, data protection impact assessments and data protection officers.

 What are ‘appropriate technical and organisational measures’?

The GDPR requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing. This reflects both the GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security.

This means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents to your organisation.

This guidance sets out a set of security outcomes that could form the basis of describing ‘appropriate technical and organisational measures’ to protect personal data. Whilst there are minimum expectations, the precise implementation of any measures must be appropriate to the risks you face.

In more detail — ICO guidance

Read our general guidance on security to understand more about ‘appropriate’ measures and the importance of undertaking an information risk assessment.

Why ‘security outcomes’?

It may seem like there is a lot of confusion as to the technical security required to comply with your data protection obligations. There is lots of detailed guidance available, but it may not be immediately clear what you must put in place, what is simply a suggested approach and what is relevant to you and your circumstances.

The outcomes intend to provide a common set of expectations that you can meet, either through following existing guidance, using particular services or, if you are sufficiently competent, development of your own bespoke approach.

An outcomes-based approach also enables scaling to any size or complexity of organisation or data processing operation. The outcomes remain constant – it is how they are implemented that differs.

Policy

“…Implement appropriate technical and organisational measures…”

 

Outcome This is the abstract and outcome based view of what you must achieve.

 

Detailed guidance, services and bespoke development

Detailed guidance showing examples of how to achieve the outcomes or perhaps appropriate services may be available to procure, or alternatively a competent organisation might develop a bespoke approach.

 

What are the aims?

The approach has been developed in accordance with the following four aims:

  • A) manage your security risk;
  • B) protect personal data against cyber-attack,
  • C) detect security events; and
  • D) minimise the impact.

Each outcome is summarised under its respective aim, with specific reference to the data protection context following.

What are the outcomes?

A.   Manage your security risk

You have appropriate organisational structures, policies and processes in place to understand, assess and systematically manage security risks to personal data.

A.1  Governance

You have appropriate data protection and information security policies and processes in place. If required, you ensure that you maintain records of processing activities and have appointed a Data Protection Officer.

In more detail — ICO guidance

The ICO has published guidance on data protection officers, accountability and governance, documentation and security.

 

In more detail—Article 29

The Article 29 Working Party includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The Working Party has published guidelines on Data Protection Officers.

 

A.2  Risk management

You take appropriate steps to identify, assess and understand security risks to personal data and the systems that process this data.

GDPR emphasises a risk-based approach to data protection and the security of your processing systems and services. You must take steps to assess these risks and include appropriate organisational measures to make effective risk-based decisions based upon:

  • the state of the art (of technology);
  • the cost of implementation;
  • the nature, scope, context and purpose of processing; and
  • the severity and likelihood of the risk(s).

Beyond this, where the processing is likely to result in a high risk to the rights and freedoms of individuals, you must also undertake a Data Protection Impact Assessment (DPIA) to determine the impact of the intended processing on the protection of personal data. The DPIA should consider the technical and organisational measures necessary to mitigate that risk. Where such measures do not reduce the risk to an acceptable level, you need to have a process in place to consult with the ICO before you start the processing.

In more detail — ICO guidance

We are have published detailed guidance on data protection impact assessments, including a list of processing operations for which DPIAs are mandatory.

 

In more detail—Article 29

The Article 29 Working Party has finalised its guidelines on high risk processing and DPIAs, following its consultation.

 

Other resources

The NCSC has guidance on risk management for cyber security. Additionally, Step 1 of the 10 Steps to Cyber Security is about developing an information risk management regime.

 

A.3  Asset management

You understand and catalogue the personal data you process and can describe the purpose for processing it. You also understand the risks posed to individuals of any unauthorised or unlawful processing, accidental loss, destruction or damage to that data.

The personal data you process should be adequate, relevant and limited to what is necessary for the purpose of the processing, and it should not be kept for longer than is necessary.

A.4  Data processors and the supply chain

You understand and manage security risks to your processing operations that may arise as a result of using third parties such as data processors. This includes ensuring that they employ appropriate security measures.

In the case of data processors, you are required to choose those that provide sufficient guarantees about their technical and organisational measures. The GDPR includes provisions where processors are used, including specific stipulations that must feature in your contract.

In more detail — ICO guidance

We have produced guidance on controller and processor contracts.

The deadline for responses to our draft GDPR guidance on contractors and liabilities for controllers and processors has now passed. We are analysing the feedback and this will feed into the final version.

 

Other resources

The NCSC has also published guidance on managing security in your supply chain.

B.   Protect personal data against cyber-attack

You have proportionate security measures in place to protect against cyber-attack which cover:

  • the personal data you process; and
  • the systems that process such data.

B.1  Service protection policies and processes

You should define, implement, communicate and enforce appropriate policies and processes that direct your overall approach to securing systems involved in the processing of personal data.

You should also consider assessing your systems and implementing specific technical controls as laid out in appropriate frameworks (such as Cyber Essentials).

Other resources

Cyber Essentials at the NCSC’s website.

 

B.2  Identity and access control

You understand, document and manage access to personal data and systems that process this data. Access rights granted to specific users must be understood, limited to those users who reasonably need such access to perform their function and removed when no longer needed. You should undertake activities to check or validate that the technical system permissions are consistent with your documented user access rights.

You should appropriately authenticate and authorise users (or any automated functions) that can access personal data. You should strongly authenticate users who have privileged access and consider two-factor or hardware authentication measures.

You should prevent users from downloading, transferring, altering or deleting personal data where there is no legitimate organisational reason to do so. You should appropriately constrain legitimate access and ensure there is an appropriate audit trail.

You should have a robust password policy which avoids users having weak passwords, such as those trivially guessable. You should change all default passwords and remove or suspend unused accounts.

B.3  Data security

You implement technical controls (such as appropriate encryption) to prevent unauthorised or unlawful processing of personal data, whether through unauthorised access to user devices or storage media, backups, interception of data in transit or at rest or accessing data that might remain in memory when technology is sent for repair or disposal.

B.4  System security

You implement appropriate technical and organisational measures to protect systems, technologies and digital services that process personal data from cyber-attack.

Whilst the GDPR requires a risk-based approach, typical examples of security measures you could take include:

  • tracking and recording all assets that process personal data, including end user devices and removable media;
  • minimising the opportunity for attack by configuring technology appropriately, minimising available services and controlling connectivity;
  • actively managing software vulnerabilities, including using in-support software and the application of software update policies (patching), and taking other mitigating steps, where patches can’t be applied;
  • managing end user devices (laptops and smartphones etc.) so that you can apply organisational controls over software or applications that interact with or access personal data;
  • encrypting personal data at rest on devices (laptops, smartphones, removable media) that are not subject to strong physical controls;
  • encrypting personal data when transmitted electronically;
  • ensuring that web services are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the OWASP Top 10; and
  • ensuring your processing environment remains secure throughout its lifecycle.

You also undertake regular testing to evaluate the effectiveness of your security measures, including virus and malware scanning, vulnerability scanning and penetration testing as appropriate. You record the results of any testing and remediating action plans.

Whatever security measures you put in place – whether these are your own, or whether you use a third party service such as a cloud provider – you remain responsible both for the processing itself, and also in respect of any devices that you operate.

In more detail — ICO guidance

The ICO has published detailed guidance on different aspects of data protection and IT security. We will be updating each of these to reflect the GDPR’s requirements in due course. However, until that time they may still assist you:

 

Other resources

The NCSC has a wide range of cybersecurity advice and guidance which may assist you further, including:

The latest version of the OWASP Top 10 was published in 2017.

The European Union Agency for Network and Information Security (ENISA) also has guidance on data protection and security, including a ‘Handbook’ on security of personal data and guidelines for SMEs.  

 

B.5  Staff awareness and training

You give your staff appropriate support to help them manage personal data securely, including the technology they use. This includes relevant training and awareness as well as provision of the tools they need to effectively undertake their duties in ways that support the security of personal data.

Staff  should be provided support so that they do not inadvertently process personal data (eg by sending it to the incorrect recipient).

Further reading

Step 5 of the 10 Steps to Cyber Security is about user education and awareness.

C.   Detect security events

You can detect security events that affect the systems that process personal data and you monitor authorised user access to that data.

C.1  Security monitoring

You appropriately monitor the status of systems processing personal data and monitor user access to personal data, including anomalous user activity.

You record user access to personal data. Where unexpected events or indications of a personal data breach are detected, you have processes in place to act upon those events as necessary in an appropriate timeframe.

Further reading

Step 8 of the 10 Steps to Cyber Security is about monitoring.

D.   Minimise the impact

You can:

  • minimise the impact of a personal data breach;
  • restore your systems and services;
  • manage the incident appropriately; and
  • learn lessons for the future.

D.1  Response and recovery planning

You have well-defined and tested incident management processes in place in case of personal data breaches. You have mitigation processes in place that are designed to contain or limit the range of personal data that could be compromised following a personal data breach.

Where the loss of availability of personal data could cause harm, you have measures in place to ensure appropriate recovery. This should include maintaining (and securing) appropriate backups.

 

D.2  Improvements

When a personal data breach occurs, you take steps to:

  • understand the root cause;
  • report the breach to the Information Commissioner and, where appropriate, affected individuals;
  • where appropriate (or required), report to other relevant bodies (for example, other regulators, the NCSC and/or law enforcement); and
  • take appropriate remediating action.

In more detail – ICO guidance

See the section on personal data breaches in the Guide to the GDPR.

 

In more detail – Article 29

The Article 29 Working Party includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The Article 29 Working Party has published guidelines on Personal data breach notification.

 

Other resources

Report a security breach to the ICO

Step 6 of the 10 Steps to Cyber Security concerns incident management. Although not specifically about personal data breaches, the guidance may also provide relevant information for you.