The importance of the UK GDPR’s security principle

January 19th, 2024 Posted in Data Protection

Why is the UK GDPR’s security principle so important right now?

Whilst Article 32 of the UK General Data Protection Regulation (“UK GDPR”) says “the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to risk” (the UK GDPR’s security principle),  aside from generic controls, there is minimal detail in the UK GDPR on the specific measures organisations should take to keep their personal data secure, maybe because technology is constantly changing, and organisational practices will depend on the size of your organisation and personal data being processed.

As a result, the burden falls on organisations to determine exactly what measures they need to implement to keep their data secure. This blog aims to help you understand the importance of cyber security when it comes to data protection and the UK GDPR and some cyber security measures (such as penetration testing and vulnerability scanning) you should consider to support you with compliance.

Want to take a deeper dive into all things GDPR? Download your free Guide to GDPR Accountability here. 

How can organisations keep data secure?

You will need to determine the types of personal data you process. “Special category data needs more protection because of its sensitive nature. Maintaining a comprehensive record of processing activities will help you identify the different data types and assess the risk posed by processing the data. This will enable you to determine the appropriate technical and organisational measures to put in place for each data type.

Maybe not so obvious, but organisations should consider the data minimisation and storage limitation principles. If you collect the minimum personal data you require for your processing, set defined retention periods and then delete personal data when it is no longer required, in the event of a breach of security, the data compromised will be less than if you keep data indefinitely, “just in case it’s needed”. As such, complying with other key data protection principles will significantly support your efforts to keep your data secure. Our head of Data Protection Practice, Ray Orife, recently discussed how organisations can keep up with their compliance obligations.

Another important principle for organisations to consider is the principle of Accountability. Accountability means that you are responsible for demonstrating how you comply with the GDPR. In the context of the security principle, you must be able to demonstrate you have implemented appropriate security measures on a risk-based approach and you keep your risk assessments under periodic review.  For example, if you deploy encryption across your technology stack, you should document where it is and is not used and then regularly review your use to assess whether you need to make a change based on your current processing activities. You should document your rationale for any decisions made on whether a change is required. Adopting this approach will enable you to evidence your compliance with the accountability principle.

What are organisational measures?

Organisational measures can be categorised as the four “P’s” – physical, people, policy and process:

Physical – your physical security controls in place for access into buildings or secure areas of your business.

People – you may want to consider the need for baseline security checks on your employees, with higher-level security checks for those who have access to more sensitive data.

Policy – you have appropriate policies in place to meet the requirements of the data protection principles and privacy by design.  These policies will fit into the categories of organisational and technical measures.  For example, a data protection policy and IT security policy will set out an organisation’s obligations, roles and responsibilities but also the technical measures that must be implemented to meet them.  Policies are the “what” you should do.

Process – You have documented processes in place to complement your policies. These may include your data protection impact assessment process which enables you to assess the risks to the processing activity and then determine the appropriate organisational and technical controls based on the risk posed by the processing. Processes are the “how” you do what the policy says.

What are technical measures?

Technical measures cover both physical and computer or IT security and are sometimes referred to as “logical controls”. Technology is used to mitigate the risks of accidental loss, destruction or damage and to protect against malicious activity. Technical measures include:

  • Access controls – how you control who can access information and the methods you use to authenticate the user and check they are who they say they are. This could be two-factor authentication or single sign-on. Read more in our blog on tips for password security.
  • Penetration testing – simulating a cyber attack which will help you discover points of exploitation that a hacker could take advantage of. For more information on penetration testing, see our free guide –  A Complete Guide to Penetration Testing
  • Vulnerability Scanning – a vulnerability scan is an automated process that proactively identifies security weaknesses in your network or individual system, such as out-of-date software versions or missed patches. The outputs of vulnerability scanning will help you create a targeted plan to fix  and keep your data safe.  See our blog on vulnerability Scanning best practices here – Vulnerability scanning 101: Best Practices for Vulnerability Scanning.
It’s important to remember that pen testing and vulnerability scanning are not the same, To learn more about the differences, we have an excellent blog on vulnerability scan vs pen test. Or you can view our complete Penetration Testing Services and Vulnerability Scanning Services.

Activities that are both organisational and technical measures include:

  • Tabletop exercises – a cyber incident response tabletop exercise will help you to practice how you will respond to a cyber incident, ensuring everyone knows their incident response role and responsibilities when dealing with an incident that results in a personal data breach. Our blog on creating your incident response is a good starting point. Learn more about Creating Your Incident Response Plan.
    Or you can download our free Guide to Incident Response
  • Ongoing monitoring – this activity is important in the proactive management of keeping your personal data secure. Ongoing monitoring not only includes ensuring the technical controls are sufficient in a technology-changing world, but that your organisational policies are reviewed and updated too.
If unfortunately, you become the victim of a data breach/security incident, here are a few things to consider as part of your lessons learned to improve your security posture and better respond to future incidents. What should you do after a cyber security incident?

The cost of a data breach

Personal data breaches can be costly. Not only are there potential financial penalties from the Information Commissioners Office (ICO) to be mindful of, for security breaches that result in a loss of personal data, but there is also the reputational damage to your organisation, the ongoing costs to fix security and the detrimental impacts to individuals.

Below are a few examples of data breaches and they demonstrate:

(1) how consistently breaches occur (2) the impact such incidents can have on an organisation from an operational standpoint (3) why organisations must implement robust security controls from both an organisational and technical perspective and finally (4) the need for organisations to constantly keep their security controls under review.

Although a while ago now, it is still worth noting the WannaCry ransomware attack (which the NHS was subject to in 2017) due to the severity of the breach in terms of the impact on the NHS’s operations, the volume of data impacted and the nature of the personal data involved. The ransomware deployed encrypted data on computers and demanded a ransom payment.  Whilst it was reported that the NHS did not pay the ransom fee, the disruption to services had a significant impact, with thousands of operations and appointments cancelled and patients having to travel further to accident and emergency departments.

More recently, the ICO is currently investigating the leak online of confidential documents from 14 UK schools. The breach was a result of a hacking group called Vice Society which uploaded data to the dark web when their demands for money were not met. The data leaked included children’s sensitive information, child passport scans, staff pay scales and contract details.

In January this year, T-Mobile detected a data breach which took place in November 2022. A hacker accessed personal data belonging to 37 million customers, stealing data, which included names, billing addresses, email addresses, phone numbers, dates of birth and T-Mobile account numbers. The company is working with law enforcement bodies and has begun to notify customers whose information may have been breached.

In addition, these breaches highlight why it is imperative that organisations comply with the UK GDPR’s security principle as a personal data breach may result in a breach of the law and ultimately, regulatory enforcement if an organisation is found not to have implemented appropriate organisational and technical measures to protect its personal data.

Next steps

As a specialist data protection company, offering comprehensive GDPR services and cyber security consultancy, Evalian is well placed to assist you with navigating the requirements of the UK GDPR’s security principle including helping you to write your policies and processes and help you improve your cyber security posture.  If you just want some initial guidance then please do contact us.

Leah Smith

Written by Leah Smith

Leah has worked in the Government sector in Information Assurance, Information Security and Data Protection for over 21 years and was DPO for Ordnance Survey and its group of companies before joining Evalian®. Leah’s qualifications include Practitioner Certificate in Data Protection PC.dp (GDPR), ISEB Certified Information Management Principles (CISMP) and ISO27001 Lead Implementer.