GDPR and cyber security are not two separate compliance concerns - they are deeply intertwined obligations that require a unified approach. The UK General Data Protection Regulation, which retained the principles of EU GDPR into UK law following Brexit, imposes legal duties on organisations to protect personal data through appropriate technical and organisational security measures. A cyber security failure is, in almost every case, also a GDPR failure. And a GDPR breach - whether a data breach, an access control failure, or an inadequate retention policy - almost always has cyber security dimensions.
Softomate Solutions is a London-based cyber security consultancy that helps UK businesses build security programmes that satisfy both regulatory requirements and genuine risk management needs. We work with organisations across professional services, financial services, healthcare, and technology to align their cyber security controls with their UK GDPR obligations, reducing the risk of both breaches and regulatory action from the Information Commissioner's Office (ICO).
Understanding how GDPR's requirements map to specific cyber security controls is the starting point for any compliant and secure organisation. This guide sets out the key obligations, the technical measures that satisfy them, and the common failures that put UK businesses at risk of ICO enforcement.
Article 32 of UK GDPR requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This is not prescriptive about specific technologies or tools, but it does set out the areas that measures must address and the factors that determine what is appropriate.
The key requirements under Article 32 include:
The ICO's guidance on data security makes clear that it expects organisations to consider the NCSC's Cyber Essentials controls as a baseline. For higher-risk processing activities, more sophisticated controls are expected. Organisations that have implemented only basic measures when processing sensitive categories of data - health information, financial data, legal records - will struggle to demonstrate that their measures were appropriate if a breach occurs.
A personal data breach is defined in UK GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The consequences of a breach depend on its nature and severity, but can include:
The ICO has the power to issue fines of up to ยฃ17.5 million or 4% of global annual turnover under UK GDPR, whichever is higher. In practice, fines at this level are reserved for the most serious breaches involving systemic failures, large volumes of sensitive data, or deliberate non-compliance. However, the ICO has issued substantial fines against mid-sized UK businesses for preventable breaches - including cases where basic security controls such as multi-factor authentication, patch management, or access controls were absent.
Where a breach is likely to result in a risk to the rights and freedoms of individuals, it must be reported to the ICO within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk, the affected individuals must also be notified without undue delay. Missing the 72-hour notification window is itself a breach of UK GDPR and is treated as an aggravating factor by the ICO.
ICO enforcement action and breach notifications are frequently covered by trade press and national media. For professional services firms, law firms, and financial services businesses, where client trust is the foundation of the relationship, a publicised data breach can result in client attrition, lost contract bids, and long-term damage to the business.
Individuals whose data was affected by a breach have the right to claim compensation for material and non-material damage. Class action-style group litigation against UK businesses following data breaches has increased significantly, creating substantial additional financial exposure beyond regulatory fines.
When investigating a data breach, the ICO assesses whether the organisation had implemented technical and organisational security measures appropriate to the risk of the data it was processing. Key factors in this assessment include the state of technology at the time of the breach, the nature of the data, the volume of data affected, and whether the specific vulnerability or attack vector that caused the breach was known and addressable.
The ICO takes a particularly dim view of breaches caused by vulnerabilities for which patches were available and not applied, absence of multi-factor authentication on internet-facing systems, weak or reused passwords, and absence of encryption on laptops or portable storage devices. These are not sophisticated security failures - they are basic hygiene failures that the ICO considers inexcusable regardless of an organisation's size.
Softomate's cyber security consultancy services include formal gap assessments that map your current security controls against UK GDPR Article 32 requirements and ICO expectations. The output is a prioritised remediation plan that helps you demonstrate to the ICO, in the event of an investigation, that your security programme was proportionate and systematically managed.
While UK GDPR does not specify a prescriptive list of technical controls, the ICO's guidance and enforcement patterns make clear what is expected. The following controls are considered baseline requirements for most UK businesses processing personal data:
MFA on all internet-facing systems - email, remote access, cloud applications, and administrative interfaces - is expected. The absence of MFA on systems that suffered credential-based attacks has been cited repeatedly by the ICO as a factor indicating inadequate security. Implementing MFA for all users, not just administrators, is the standard. Phishing-resistant MFA methods - hardware tokens, FIDO2 passkeys - are preferred over SMS codes, which can be intercepted through SIM-swapping.
Personal data stored on servers, databases, laptops, and portable devices should be encrypted at rest. Data transmitted over networks should use TLS encryption. Whole-disk encryption on laptops and mobile devices is particularly important given the volume of portable device loss incidents reported to the ICO. Encryption does not prevent a breach, but it substantially limits the impact when a device is lost or a storage system is accessed without authorisation - and the ICO has confirmed that encrypted data loss may not constitute a reportable breach where the encryption key is not compromised.
Access to personal data should be restricted to those who need it for their role. Stale accounts for former employees are one of the most common and easily preventable sources of unauthorised access. Regular access reviews, role-based access control, and automated de-provisioning when employees leave are expected controls. Privileged administrative accounts should be separate from standard user accounts and subject to additional monitoring.
Regular vulnerability scanning and timely patch application are required to maintain the security of systems processing personal data. The ICO expects organisations to apply critical patches within the timeframes specified by the software vendor or, absent specific guidance, within 14 days as mandated by Cyber Essentials. Unpatched internet-facing systems are a common cause of the initial access that leads to data breaches.
The ability to restore personal data following an incident is a specific GDPR requirement. Backups must be tested regularly - not just maintained - to ensure they can be recovered when needed. Ransomware attacks, which encrypt operational data and demand payment, have exposed many UK organisations' failure to maintain and test offline or immutable backups.
A Data Protection Impact Assessment (DPIA) is a process for identifying and mitigating privacy risks before starting a new processing activity. Under UK GDPR, DPIAs are mandatory when processing is likely to result in a high risk to individuals - including large-scale processing of sensitive data, systematic monitoring of individuals, or use of new technologies. DPIAs are also good practice for any significant change to how personal data is processed.
DPIAs should involve an assessment of the security measures that will protect the data, not just the privacy and proportionality considerations. Engaging cyber security expertise in the DPIA process ensures that the technical controls proposed are appropriate and implementable. A DPIA that recommends encryption without specifying the encryption standard, key management approach, and implementation plan provides weak assurance to the ICO.
Our virtual CISO service includes DPIA review and support, ensuring that privacy impact assessments include technically sound security recommendations that can be verified and evidenced in the event of regulatory scrutiny.
UK GDPR imposes obligations not just on data controllers but on the data processors they engage - the cloud providers, payroll services, IT support companies, and other third parties that process personal data on their behalf. Controllers must ensure that processors provide sufficient guarantees about security, and the relationship must be governed by a written Data Processing Agreement (DPA) that sets out specific security requirements.
Managing third-party security requires:
Third-party risk management is an area where many UK businesses fall short. The ICO's investigations following multi-party breaches have resulted in enforcement action against controllers who failed to conduct adequate due diligence on their processors, even where the breach originated with the processor rather than the controller.
Under UK GDPR, most organisations are required to maintain a Record of Processing Activities (ROPA) that documents the personal data they process, the purposes for processing, the legal basis, retention periods, and security measures in place. The ROPA is a live document that should be updated whenever processing activities change.
From a cyber security perspective, the ROPA is the foundation of your data security programme. It tells you where personal data lives, which systems process it, and therefore which systems need to be protected. Without a current and accurate ROPA, it is impossible to ensure that security controls are proportionate to the risk of each processing activity or to conduct a meaningful DPIA.
The ICO may request to inspect a ROPA during an investigation. Organisations that cannot produce one, or produce one that is significantly incomplete or outdated, face adverse findings independent of the underlying security issue.
UK GDPR is the version of the EU GDPR that was retained into UK law following Brexit, with amendments to reflect the UK's regulatory context. The core principles, individual rights, and security obligations are substantially the same. The key differences relate to the supervisory authority (the ICO in the UK rather than an EU member state authority), the international data transfer regime (the UK's own adequacy assessments rather than EU standard contractual clauses), and the enforcement regime. Organisations operating in both the UK and EU must satisfy both UK GDPR and EU GDPR requirements.
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes ransomware attacks that encrypt data (loss of availability), phishing attacks that result in account compromise (unauthorised access), accidental emails sent to the wrong recipient (unauthorised disclosure), and physical theft of unencrypted laptops (unauthorised access and potential unauthorised disclosure). Not every security incident is a personal data breach, but many are - and organisations must assess each incident carefully.
Missing the 72-hour notification window is itself a breach of UK GDPR and is treated as an aggravating factor by the ICO. If you become aware of a breach and need more time to assess it, report what you know within 72 hours and provide supplementary information as it becomes available - the ICO allows phased reporting for complex incidents. Late notification without explanation is far more likely to result in adverse regulatory action than proactive early notification followed by updates. Implementing an incident response plan that triggers the breach assessment process immediately on detection is the most reliable way to meet the notification requirement.
A Data Protection Officer (DPO) is mandatory under UK GDPR for public authorities, organisations that process personal data on a large scale as a core activity, or organisations that process sensitive categories of data on a large scale. For most SMEs, a DPO is not legally mandatory, but maintaining a named data protection contact who understands UK GDPR obligations is strongly recommended. The ICO has indicated that organisations without any identifiable data protection responsibility are at greater risk of systemic failures. An outsourced DPO or virtual CISO with data protection expertise can provide this function cost-effectively.
Evidence is everything in ICO investigations. Demonstrating appropriate security requires: a documented information security policy; records of security assessments, penetration tests, and vulnerability scans; evidence of patch management processes and compliance; access review records; training completion records for staff; a current ROPA; and documented incident response procedures. Cyber Essentials or ISO 27001 certification provides an independent third-party attestation of your security posture. Organisations that can present a coherent, documented security programme backed by evidence are significantly better positioned in ICO investigations than those relying on verbal assertions about good practice.
The ICO applies a proportionality principle to its assessment of security measures - what is appropriate for a large financial institution processing millions of records is not the same as what is appropriate for a five-person accountancy practice. However, proportionality does not mean that small businesses are exempt from basic security hygiene. The ICO has taken enforcement action against small businesses for failures to implement MFA, encrypt laptops, and manage access to personal data. The ICO's guidance specifically states that Cyber Essentials provides a reasonable baseline for small organisations, and businesses that have implemented Cyber Essentials are better placed to demonstrate compliance.
Yes, but with requirements attached. Transferring personal data to the US or any country outside the UK (and EEA for EU GDPR purposes) requires a lawful transfer mechanism. The UK has an adequacy decision for certain US organisations participating in the UK-US Data Bridge framework. For organisations outside the Data Bridge, standard contractual clauses adapted for the UK context (the International Data Transfer Agreement) are the most common mechanism. You must also conduct a Transfer Impact Assessment for high-risk transfers to assess whether the legal protections in the destination country are adequate. Major cloud providers like Microsoft, Google, and AWS provide the necessary contractual documentation and offer UK or EEA data residency options that reduce the complexity of international transfer compliance.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
