How do we ensure the security of personal information?
-
The Data (Use and Access) Act 2026 got Royal Assent on 19 June 2026. All the provisions affecting data protection law and the Privacy and Electronic Regulations Communications are now in force. The Department for Science and Innovation (DSIT) has set out the commencement plans. You can find more details on the Gov.uk website.
Data protection law requires you to process personal information securely, using appropriate technical and organisational measures but it does not define what measures to use. This is the ‘security principle’.
You must put in place technical and organisational measures to ensure your level of security is appropriate to the risk of using personal information. You must consider:
- the state of the art;
- costs of implementation; and
- the nature, scope, context and purpose of your processing.
If you plan to use a third-party moderation provider, acting as a data processor, you must choose one that provides sufficient guarantees about its security measures.