Skip to content

Key Issues Regarding Data Security Under the GDPR

Table of Contents

Keeping personal data secure is a key requirement under the UK GDPR data protection law regime. As such, if your organisation processes personal data, you must safeguard it and secure it with appropriate security measures. This article will outline some of the key issues around data security under the UK GDPR.

What Does the UK GDPR Say About Data Security?

The UK General Data Protection Regulation (UK GDPR) is the law governing the use of personal data. The UK GDPR contains several rules, depending on the types of personal data the business processes.

A key principle at the heart of the UK GDPR rules is data security. The GDPR rules require businesses to process personal data in a way that ensures appropriate security. This includes protecting personal data against: 

  • unauthorised or unlawful processing;
  • accidental loss;
  • destruction; and 
  • damage. 

Organisations must use appropriate ‘technical or organisational measures’ to keep personal data secure.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Does the GDPR Specify Mandatory Security Measures?

The GDPR does not define or list what types of security measures organisations need to implement. However, it does set out principles around data security, which organisations must consider and use to decide what data security measures to put in place.

Under the UK GDPR rules, organisations need to take a risk-based approach by applying a level of security that is ‘appropriate’ to the risk of the personal data that they hold.

For example, to decide on which security measures are appropriate for your organisation, you must consider:

  • the costs of implementing security measures;
  • what types of security your organisation has;
  • what types of personal data you process and the risks to data subjects;
  • whether certain types of personal data you process require extra protection, e.g. financial data; and
  • potential damage if the data you hold is compromised, e.g. if there is a personal data breach.
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Practical Examples of Data Security Measures

There is no one-size-fits-all approach to data security. It is up to each organisation processing personal data to decide what security they should have in place. Organisations must justify why their data security measures are appropriate and comply with the UK GDPR rules.

Below are some examples of the types of data security measures that organisations should consider as part of their assessments and implementation of data security:

  • allocating internal responsibility for data security to specific individuals;
  • having agreements in place with third parties who process personal data on your behalf and carrying out due diligence on them to check which data security measures they have in place;
  • implementing and regularly reviewing data security policy and procedures;
  • carrying out data protection impact assessments for high-risk processing activities to identify and mitigate risks;
  • reviewing the UK Information Commissioner’s Officer (ICO) guidance on data security and complying with it;
  • delivering staff training on data protection and data security, such as identifying phishing emails and malware and reporting personal data breaches; 
  • having in place a data breach plan to prevent data breaches;
  • maintaining up-to-date security systems such as firewalls, encryption and authentication;
  • implementing anti-virus software and appropriate security policies, including password protection and two-factor authentication;
  • considering measures such as encryption, to reduce the risk to data subjects;
  • implementing processes to block high-risk websites that might pose a threat to personal data; and
  • considering physical security to protect against unauthorised access or damage to personal data. For example, restricting access to personal data to authorised personnel only. In your business premises, implement entry controls and CCTV and security. Also, ensure your organisation has secure storage arrangements to protect personal data.

These are only examples and not a definitive list of requirements.

If you are unsure about what data security measures to put in place, you should seek legal advice and also support from a technical data security expert.

Key Takeaways

Data security is a fundamental concept under the UK GDPR. Where you are processing personal data in your organisation, you must always keep it secure. Your organisation will need to carefully consider the UK GDPR guidance and principles around data security and put in place appropriate data security measures accordingly. Data security is not a one-size-fits-all approach. Accordingly, you must justify why the security measures in place at your organisation adequately protect the personal data you process.

If you would like advice on UK GDPR compliance, our experienced data privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards