GDPR & Security

It is now a legal requirement under UK law for all organisations that process personal data (data related to living individuals) to regularly test the security of their IT infrastructure and applications. Some of the key security requirements under the GDPR include:

Overall, the GDPR requires organisations to take a risk-based approach to data protection and to implement appropriate technical and organisational measures to protect the personal data they process. 

The official guidance from the Information Commissioner's Office (ICO) states:

Are we required to ensure our security measures are effective?

Yes, the UK GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place. What these tests look like, and how regularly you do them, will depend on your own circumstances. However, it’s important to note that the requirement in the UK GDPR concerns your measures in their entirety, therefore whatever ‘scope’ you choose for this testing should be appropriate to what you are doing, how you are doing it, and the data that you are processing. Technically, you can undertake this through a number of techniques, such as vulnerability scanning and penetration testing. 

While the law requires you to conduct regular testing it does not prescribe exactly how often and what kind of testing you must perform - it is up to your organisation and your specific circumstances to ensure that both the regularity as well as type of testing performed is appropriate under the requirements of UK GDPR.

First of all, you need to have a documented risk assessment to demonstrate that you have considered what is appropriate given your business circumstances. Organisations need to demonstrate that a risk assessment has been conducted that took into account all relevant risks and led to implementation of appropriate technical and organisational measures, including particularly risks specified in Article 32:

Based on your risk assessment you need to implement appropriate technical and organisational measures to address them. The key here is to focus on what is appropriate; note that measures can be technical and/or organisational. Examples of such measures may include:

In any case measures implemented must be appropriate, adequate and effective - and they must be regularly tested. Examples of testing may include:

How do you evidence compliance with Article 32? Generally speaking you would need: