Key Issues Regarding Data Security Under the GDPR

Keeping personal data secure is a key requirement under the UK GDPR data protection law regime. As such, if your organisation processes personal data, you must safeguard it and secure it with appropriate security measures. This article will outline some of the key issues around data security under the UK GDPR.

What Does the UK GDPR Say About Data Security?

The UK General Data Protection Regulation (UK GDPR) is the law governing the use of personal data. The UK GDPR contains several rules, depending on the types of personal data the business processes.

A key principle at the heart of the UK GDPR rules is data security. The GDPR rules require businesses to process personal data in a way that ensures appropriate security. This includes protecting personal data against: 

• unauthorised or unlawful processing;
• accidental loss;
• destruction; and 
• damage. 

Organisations must use appropriate ‘technical or organisational measures’ to keep personal data secure.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Does the GDPR Specify Mandatory Security Measures?

The GDPR does not define or list what types of security measures organisations need to implement. However, it does set out principles around data security, which organisations must consider and use to decide what data security measures to put in place.

For example, to decide on which security measures are appropriate for your organisation, you must consider:

• the costs of implementing security measures;
• what types of security your organisation has;
• what types of personal data you process and the risks to data subjects;
• whether certain types of personal data you process require extra protection, e.g. financial data; and
• potential damage if the data you hold is compromised, e.g. if there is a personal data breach.

Practical Examples of Data Security Measures

There is no one-size-fits-all approach to data security. It is up to each organisation processing personal data to decide what security they should have in place. Organisations must justify why their data security measures are appropriate and comply with the UK GDPR rules.

Below are some examples of the types of data security measures that organisations should consider as part of their assessments and implementation of data security:

• allocating internal responsibility for data security to specific individuals;
• having agreements in place with third parties who process personal data on your behalf and carrying out due diligence on them to check which data security measures they have in place;
• implementing and regularly reviewing data security policy and procedures;
• carrying out data protection impact assessments for high-risk processing activities to identify and mitigate risks;
• reviewing the UK Information Commissioner’s Officer (ICO) guidance on data security and complying with it;
• delivering staff training on data protection and data security, such as identifying phishing emails and malware and reporting personal data breaches; 
• having in place a data breach plan to prevent data breaches;
• maintaining up-to-date security systems such as firewalls, encryption and authentication;
• implementing anti-virus software and appropriate security policies, including password protection and two-factor authentication;
• considering measures such as encryption, to reduce the risk to data subjects;
• implementing processes to block high-risk websites that might pose a threat to personal data; and
• considering physical security to protect against unauthorised access or damage to personal data. For example, restricting access to personal data to authorised personnel only. In your business premises, implement entry controls and CCTV and security. Also, ensure your organisation has secure storage arrangements to protect personal data.

These are only examples and not a definitive list of requirements.

Key Takeaways

Data security is a fundamental concept under the UK GDPR. Where you are processing personal data in your organisation, you must always keep it secure. Your organisation will need to carefully consider the UK GDPR guidance and principles around data security and put in place appropriate data security measures accordingly. Data security is not a one-size-fits-all approach. Accordingly, you must justify why the security measures in place at your organisation adequately protect the personal data you process.

If you would like advice on UK GDPR compliance, our experienced data privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.