UK General Data Protection Regulation (UK GDPR)

The UK General Data Protection Regulation (UK GDPR) requires you to process personal data securely. This means you must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised.

The security principle concerns integrity, confidentiality and availability of personal data, and takes into account cyber security, physical safety and organisational security.

What level of security is needed under UK GDPR?

The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is 'appropriate' to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.

The security measures you put in place should seek to ensure that:

• the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them)
• the data you hold is accurate and complete in relation to why you are processing it
• the data remains accessible and usable, ie if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned

Organisational security measures

Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. For example, you will need to:

• build security awareness in your organisation
• allocate responsibility for information security within your organisation
• ensure those responsible have the resources and authority to do their job effectively

An information security policy is another example of an appropriate organisational measure. Depending on your size, the volume and nature of the personal data you process, and the way you use that data, you may not need a 'formal' policy document or an associated set of policies. That said, having a policy enables you to demonstrate how you are taking steps to comply with the security principle.

Other related matters you will need to consider include:

• co-ordination between key people in your organisation
• access to premises or equipment given to anyone outside your organisation
• business continuity arrangements for the protection and recovery of personal data you hold
• periodic checks on and updates to your security measures

Technical security measures

Technical measures include both:

• physical security, which covers things like
  • protection of premises by means of alarms, lighting, CCTV
  • control of access to premises
  • disposal of paper and electronic waste
  • secure maintenance and disposal of IT equipment, mobile devices, etc
• IT security (or cyber security), extending to the security of
  • your network and information systems
  • the data you hold within your systems
  • your website, online services and applications that you use
  • your devices, including policies on the use of personal devices in the workplace

Encryption

The UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities. Encryption is:

• widely-available
• relatively low costs to implement
• available in a large variety of solutions

If you store or transmit personal data, it is recommended that you have an encryption policy in place. Find out more about encryption.

Password authentication

Passwords are commonly used to protect access to systems that process personal data. Although the UK GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.

Therefore, any password setup that you implement must:

• be appropriate to the particular circumstances of this processing
• protect against theft of stored passwords
• protect against 'brute-force' or guessing attacks

There are a number of additional considerations you will need to take into account when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. Find out more about password-based authentication schemes for online services.

The ICO and the National Cyber Security Centre have developed a set of security outcomes that you can use to determine the measures appropriate for your circumstances.

Test your security measures

The UK GDPR requires you to ensure that your security measures are effective, so you should test your security measures on a regular basis. The type of testing, and how regularly you should undertake it, depends on your organisation and the personal data you are processing.

Whatever form of testing you undertake, you should document the results, act upon any findings (or have a valid reason if not doing so), and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach. The ICO will consider the technical and organisational security measures you had in place when considering fines in case of a breach.