In more detail — ICO guidance
What are ‘appropriate technical and organisational measures’?
The UK GDPR requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing. This reflects both the UK GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security.
This means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents to your organisation.
This guidance sets out a set of security outcomes that could form the basis of describing ‘appropriate technical and organisational measures’ to protect personal data. Whilst there are minimum expectations, the precise implementation of any measures must be appropriate to the risks you face.
In more detail — ICO guidance
Why ‘security outcomes’?
It may seem like there is a lot of confusion as to the technical security required to comply with your data protection obligations. There is lots of detailed guidance available, but it may not be immediately clear what you must put in place, what is simply a suggested approach and what is relevant to you and your circumstances.
The outcomes intend to provide a common set of expectations that you can meet, either through following existing guidance, using particular services or, if you are sufficiently competent, development of your own bespoke approach.
An outcomes-based approach also enables scaling to any size or complexity of organisation or data processing operation. The outcomes remain constant – it is how they are implemented that differs.
|
“…Implement appropriate technical and organisational measures…”
|
|
This is the abstract and outcome based view of what you must achieve.
|
|
Detailed guidance showing examples of how to achieve the outcomes or perhaps appropriate services may be available to procure, or alternatively a competent organisation might develop a bespoke approach.
|
What are the aims?
The approach has been developed in accordance with the following four aims:
- A) manage your security risk;
- B) protect personal data against cyber-attack,
- C) detect security events; and
- D) minimise the impact.
Each outcome is summarised under its respective aim, with specific reference to the data protection context following.
What are the outcomes?
A. Manage your security risk
You have appropriate organisational structures, policies and processes in place to understand, assess and systematically manage security risks to personal data.
A.1 Governance
You have appropriate data protection and information security policies and processes in place. If required, you ensure that you maintain records of processing activities and have appointed a Data Protection Officer.
In more detail—Article 29
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of EU version of the GDPR.
WP29 published guidelines on Data Protection Officers, which the EDPB endorsed in May 2018.
A.2 Risk management
You take appropriate steps to identify, assess and understand security risks to personal data and the systems that process this data.
The UK GDPR emphasises a risk-based approach to data protection and the security of your processing systems and services. You must take steps to assess these risks and include appropriate organisational measures to make effective risk-based decisions based upon:
- the state of the art (of technology);
- the cost of implementation;
- the nature, scope, context and purpose of processing; and
- the severity and likelihood of the risk(s).
Beyond this, where the processing is likely to result in a high risk to the rights and freedoms of individuals, you must also undertake a Data Protection Impact Assessment (DPIA) to determine the impact of the intended processing on the protection of personal data. The DPIA should consider the technical and organisational measures necessary to mitigate that risk. Where such measures do not reduce the risk to an acceptable level, you need to have a process in place to consult with the ICO before you start the processing.
In more detail — ICO guidance
In more detail—Article 29
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of EU version of the GDPR.
WP29 produced guidelines on high risk processing and DPIAs, which the EDPB endorsed in May 2018.
EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
A.3 Asset management
You understand and catalogue the personal data you process and can describe the purpose for processing it. You also understand the risks posed to individuals of any unauthorised or unlawful processing, accidental loss, destruction or damage to that data.
The personal data you process should be adequate, relevant and limited to what is necessary for the purpose of the processing, and it should not be kept for longer than is necessary.
A.4 Processors and the supply chain
You understand and manage security risks to your processing operations that may arise as a result of using third parties such as data processors. This includes ensuring that they employ appropriate security measures.
In the case of data processors, you are required to choose those that provide sufficient guarantees about their technical and organisational measures. The UK GDPR includes provisions where processors are used, including specific stipulations that must feature in your contract.
In more detail — ICO guidance
B. Protect personal data against cyber-attack
You have proportionate security measures in place to protect against cyber-attack which cover:
- the personal data you process; and
- the systems that process such data.
B.1 Service protection policies and processes
You should define, implement, communicate and enforce appropriate policies and processes that direct your overall approach to securing systems involved in the processing of personal data.
You should also consider assessing your systems and implementing specific technical controls as laid out in appropriate frameworks (such as Cyber Essentials).
B.2 Identity and access control
You understand, document and manage access to personal data and systems that process this data. Access rights granted to specific users must be understood, limited to those users who reasonably need such access to perform their function and removed when no longer needed. You should undertake activities to check or validate that the technical system permissions are consistent with your documented user access rights.
You should appropriately authenticate and authorise users (or any automated functions) that can access personal data. You should strongly authenticate users who have privileged access and consider two-factor or hardware authentication measures.
You should prevent users from downloading, transferring, altering or deleting personal data where there is no legitimate organisational reason to do so. You should appropriately constrain legitimate access and ensure there is an appropriate audit trail.
You should have a robust password policy which avoids users having weak passwords, such as those trivially guessable. You should change all default passwords and remove or suspend unused accounts.
B.3 Data security
You implement technical controls (such as appropriate encryption) to prevent unauthorised or unlawful processing of personal data, whether through unauthorised access to user devices or storage media, backups, interception of data in transit or at rest or accessing data that might remain in memory when technology is sent for repair or disposal.
B.4 System security
You implement appropriate technical and organisational measures to protect systems, technologies and digital services that process personal data from cyber-attack.
Whilst the UK GDPR requires a risk-based approach, typical examples of security measures you could take include:
- tracking and recording all assets that process personal data, including end user devices and removable media;
- minimising the opportunity for attack by configuring technology appropriately, minimising available services and controlling connectivity;
- actively managing software vulnerabilities, including using in-support software and the application of software update policies (patching), and taking other mitigating steps, where patches can’t be applied;
- managing end user devices (laptops and smartphones etc.) so that you can apply organisational controls over software or applications that interact with or access personal data;
- encrypting personal data at rest on devices (laptops, smartphones, removable media) that are not subject to strong physical controls;
- encrypting personal data when transmitted electronically;
- ensuring that web services are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the OWASP Top 10; and
- ensuring your processing environment remains secure throughout its lifecycle.
You also undertake regular testing to evaluate the effectiveness of your security measures, including virus and malware scanning, vulnerability scanning and penetration testing as appropriate. You record the results of any testing and remediating action plans.
Whatever security measures you put in place – whether these are your own, or whether you use a third party service such as a cloud provider – you remain responsible both for the processing itself, and also in respect of any devices that you operate.
Further reading — ICO guidance
Under the 1998 Act, the ICO published a number of more detailed guidance pieces on different aspects of IT security. Where appropriate, we will be updating each of these to reflect the UK GDPR’s requirements in due course. However, until that time they may still provide you with assistance or things to consider:
B.5 Staff awareness and training
You give your staff appropriate support to help them manage personal data securely, including the technology they use. This includes relevant training and awareness as well as provision of the tools they need to effectively undertake their duties in ways that support the security of personal data.
Staff should be provided support so that they do not inadvertently process personal data (eg by sending it to the incorrect recipient).
C. Detect security events
You can detect security events that affect the systems that process personal data and you monitor authorised user access to that data.
C.1 Security monitoring
You appropriately monitor the status of systems processing personal data and monitor user access to personal data, including anomalous user activity.
You record user access to personal data. Where unexpected events or indications of a personal data breach are detected, you have processes in place to act upon those events as necessary in an appropriate timeframe.
D. Minimise the impact
You can:
- minimise the impact of a personal data breach;
- restore your systems and services;
- manage the incident appropriately; and
- learn lessons for the future.
D.1 Response and recovery planning
You have well-defined and tested incident management processes in place in case of personal data breaches. You have mitigation processes in place that are designed to contain or limit the range of personal data that could be compromised following a personal data breach.
Where the loss of availability of personal data could cause harm, you have measures in place to ensure appropriate recovery. This should include maintaining (and securing) appropriate backups.
D.2 Improvements
When a personal data breach occurs, you take steps to:
- understand the root cause;
- report the breach to the ICO and, where appropriate, affected individuals;
- where appropriate (or required), report to other relevant bodies (for example, other regulators, the NCSC and/or law enforcement); and
- take appropriate remediating action.
Further reading – ICO guidance
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of EU version of the GDPR.
WP29 published guidelines on personal data breach notification, which the EDPB endorsed in May 2018.
EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.