GDPR / DPA Security Requirements
The Article 32 of the General Data Protection Regulation (GDPR), incorporated into UK law by Section 66 of the Data Protection Act 2018, imposes certain security requirements on organisations that control or process personal data (defined as any information relating to an identified or identifiable living individual):
(1) Each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data.
(2) In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to
(a) prevent unauthorised processing or unauthorised interference with the systems used in connection with it,
(b) ensure that it is possible to establish the precise details of any processing that takes place,
(c) ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and
(d) ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.
The above are the minimum legal requirements and failure to comply with these requirements is punishable by penalty notices (fines) issued by the Information Commissioner's Office (ICO) under Sections 155-159 or compensation ordered by courts under Sections 167-169 of the DPA.
Please refer to the following presentation for more information on these requirements.