Security outcomes
At a glance
- The UK GDPR requires you to process personal data securely using appropriate technical and organisational measures.
- What’s appropriate for you will depend not just on your circumstances, but also the data you are processing and the risks posed.
- You must assess your information security risk and implement appropriate technical controls.
- The Information Commissioner’s Office and the National Cyber Security Centre (NCSC) have worked together to develop an approach that you can use when making this assessment.
- It allows you to consider common expectations and either follow existing guidance, use particular services or develop your own processes if you have appropriate knowledge and resources to do so.
- The approach is based on four aims:
- managing security risk;
- protecting personal data against cyber-attack;
- detecting security events; and
- minimising the impact.
In brief
- What does the UK GDPR say about security?
- What are the other requirements?
- How does security relate to the GDPR’s accountability principle and our responsibility as data controllers?
- What are ‘appropriate technical and organisational measures’?
- Why ‘security outcomes’?
- What are the aims?
- What are the outcomes?
What does the UK GDPR say about security?
The UK GDPR requires you to process personal data securely. Article 5(1)(f) concerns ‘integrity and confidentiality’ of personal data - in short, it is the GDPR’s ‘security principle’. It states that personal data shall be:
‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’
The aim of this guidance is to describe an overall set of outcomes that are considered ‘appropriate’ to prevent personal data being accidentally or deliberately compromised.
In more detail — ICO guidance
What are the other requirements?
Alongside the security principle, the UK GDPR contains other relevant requirements, including data protection by design in Article 25 and security of processing in Article 32.
Data protection by design requires you to put in place appropriate technical and organisational measures designed to implement the data protection principles effectively and integrate necessary safeguards into the processing. You have to do this at the time of the determination of the means of the processing (ie the design phase of any processing operation) and at the time of the processing itself.
You also have specific security obligations under Article 32 which apply whether you are a controller or a processor. These require you to put in place appropriate technical and organisational measures to ensure an appropriate level of security of both the processing and your processing environment.
These provisions cover fundamental information security concepts including:
- minimisation of personal data collected;
- managing, limiting and controlling access to personal data;
- protecting the classic ‘CIA triad’ (confidentiality, integrity, and availability) of personal data;
- resilience of processing systems and services, and the ability to restore availability and access to personal data; and
- regular testing of the effectiveness of measures implemented.
The measures you implement should be appropriate to the risk presented.
In more detail — ICO guidance
How does security relate to the UK GDPR’s accountability principle and our responsibility as data controllers?
The accountability principle requires you to be able to demonstrate that your processing is done in compliance with the UK GDPR. Accountability also has direct relevance to your responsibility as a data controller.
You are required to implement appropriate technical and organisational measures to ensure, and be able to demonstrate, that processing of personal data is performed in accordance with the UK GDPR.
In more detail — ICO guidance
What are ‘appropriate technical and organisational measures’?
The UK GDPR requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing. This reflects both the UK GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security.
This means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents to your organisation.
This guidance sets out a set of security outcomes that could form the basis of describing ‘appropriate technical and organisational measures’ to protect personal data. Whilst there are minimum expectations, the precise implementation of any measures must be appropriate to the risks you face.
In more detail — ICO guidance
Why ‘security outcomes’?
It may seem like there is a lot of confusion as to the technical security required to comply with your data protection obligations. There is lots of detailed guidance available, but it may not be immediately clear what you must put in place, what is simply a suggested approach and what is relevant to you and your circumstances.
The outcomes intend to provide a common set of expectations that you can meet, either through following existing guidance, using particular services or, if you are sufficiently competent, development of your own bespoke approach.
An outcomes-based approach also enables scaling to any size or complexity of organisation or data processing operation. The outcomes remain constant – it is how they are implemented that differs.
“…Implement appropriate technical and organisational measures…”
| |
This is the abstract and outcome based view of what you must achieve.
| |
Detailed guidance showing examples of how to achieve the outcomes or perhaps appropriate services may be available to procure, or alternatively a competent organisation might develop a bespoke approach.
|
What are the aims?
The approach has been developed in accordance with the following four aims:
- A) manage your security risk;
- B) protect personal data against cyber-attack,
- C) detect security events; and
- D) minimise the impact.
Each outcome is summarised under its respective aim, with specific reference to the data protection context following.
What are the outcomes?
A. Manage your security risk
You have appropriate organisational structures, policies and processes in place to understand, assess and systematically manage security risks to personal data.
A.1 Governance
You have appropriate data protection and information security policies and processes in place. If required, you ensure that you maintain records of processing activities and have appointed a Data Protection Officer.
In more detail — ICO guidance
The ICO has published guidance on data protection officers, accountability and governance, documentation and security.
In more detail—Article 29
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of EU version of the GDPR.
WP29 published guidelines on Data Protection Officers, which the EDPB endorsed in May 2018.
A.2 Risk management
You take appropriate steps to identify, assess and understand security risks to personal data and the systems that process this data.
The UK GDPR emphasises a risk-based approach to data protection and the security of your processing systems and services. You must take steps to assess these risks and include appropriate organisational measures to make effective risk-based decisions based upon:
- the state of the art (of technology);
- the cost of implementation;
- the nature, scope, context and purpose of processing; and
- the severity and likelihood of the risk(s).
Beyond this, where the processing is likely to result in a high risk to the rights and freedoms of individuals, you must also undertake a Data Protection Impact Assessment (DPIA) to determine the impact of the intended processing on the protection of personal data. The DPIA should consider the technical and organisational measures necessary to mitigate that risk. Where such measures do not reduce the risk to an acceptable level, you need to have a process in place to consult with the ICO before you start the processing.
In more detail — ICO guidance
In more detail—Article 29
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of EU version of the GDPR.
WP29 produced guidelines on high risk processing and DPIAs, which the EDPB endorsed in May 2018.
EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
Other resources
The NCSC has guidance on risk management for cyber security. Additionally, Step 1 of the 10 Steps to Cyber Security is about developing an information risk management regime.
A.3 Asset management
You understand and catalogue the personal data you process and can describe the purpose for processing it. You also understand the risks posed to individuals of any unauthorised or unlawful processing, accidental loss, destruction or damage to that data.
The personal data you process should be adequate, relevant and limited to what is necessary for the purpose of the processing, and it should not be kept for longer than is necessary.
A.4 Processors and the supply chain
You understand and manage security risks to your processing operations that may arise as a result of using third parties such as data processors. This includes ensuring that they employ appropriate security measures.
In the case of data processors, you are required to choose those that provide sufficient guarantees about their technical and organisational measures. The UK GDPR includes provisions where processors are used, including specific stipulations that must feature in your contract.
In more detail — ICO guidance
Other resources
The NCSC has also published guidance on managing cyber risks in your supply chain.
B. Protect personal data against cyber-attack
You have proportionate security measures in place to protect against cyber-attack which cover:
- the personal data you process; and
- the systems that process such data.
B.1 Service protection policies and processes
You should define, implement, communicate and enforce appropriate policies and processes that direct your overall approach to securing systems involved in the processing of personal data.
You should also consider assessing your systems and implementing specific technical controls as laid out in appropriate frameworks (such as Cyber Essentials).
Other resources
Homepage of the Cyber Essentials schemes at the NCSC’s website.
B.2 Identity and access control
You understand, document and manage access to personal data and systems that process this data. Access rights granted to specific users must be understood, limited to those users who reasonably need such access to perform their function and removed when no longer needed. You should undertake activities to check or validate that the technical system permissions are consistent with your documented user access rights.
You should appropriately authenticate and authorise users (or any automated functions) that can access personal data. You should strongly authenticate users who have privileged access and consider two-factor or hardware authentication measures.
You should prevent users from downloading, transferring, altering or deleting personal data where there is no legitimate organisational reason to do so. You should appropriately constrain legitimate access and ensure there is an appropriate audit trail.
You should have a robust password policy which avoids users having weak passwords, such as those trivially guessable. You should change all default passwords and remove or suspend unused accounts.
B.3 Data security
You implement technical controls (such as appropriate encryption) to prevent unauthorised or unlawful processing of personal data, whether through unauthorised access to user devices or storage media, backups, interception of data in transit or at rest or accessing data that might remain in memory when technology is sent for repair or disposal.
B.4 System security
You implement appropriate technical and organisational measures to protect systems, technologies and digital services that process personal data from cyber-attack.
Whilst the UK GDPR requires a risk-based approach, typical examples of security measures you could take include:
- tracking and recording all assets that process personal data, including end user devices and removable media;
- minimising the opportunity for attack by configuring technology appropriately, minimising available services and controlling connectivity;
- actively managing software vulnerabilities, including using in-support software and the application of software update policies (patching), and taking other mitigating steps, where patches can’t be applied;
- managing end user devices (laptops and smartphones etc.) so that you can apply organisational controls over software or applications that interact with or access personal data;
- encrypting personal data at rest on devices (laptops, smartphones, removable media) that are not subject to strong physical controls;
- encrypting personal data when transmitted electronically;
- ensuring that web services are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the OWASP Top 10; and
- ensuring your processing environment remains secure throughout its lifecycle.
You also undertake regular testing to evaluate the effectiveness of your security measures, including virus and malware scanning, vulnerability scanning and penetration testing as appropriate. You record the results of any testing and remediating action plans.
Whatever security measures you put in place – whether these are your own, or whether you use a third party service such as a cloud provider – you remain responsible both for the processing itself, and also in respect of any devices that you operate.
Further reading — ICO guidance
Under the 1998 Act, the ICO published a number of more detailed guidance pieces on different aspects of IT security. Where appropriate, we will be updating each of these to reflect the UK GDPR’s requirements in due course. However, until that time they may still provide you with assistance or things to consider:
- A practical guide to IT security – ideal for the small business;
- Protecting personal data in online services – learning from the mistakes of others – detailed technical guidance on common technical errors the ICO has seen in its casework;
- Bring your own device (BYOD) – guidance for organisations who want to allow staff to use personal devices to process personal data; and
- Cloud computing (pdf) – guidance covering how security requirements apply to personal data processed in the cloud.
Other resources
- The NCSC has detailed technical guidance (external link) in a number of areas that will be relevant to you whenever you process personal data. Some examples include:
- 10 Steps to Cyber Security (external link) - The 10 Steps define and communicate an Information Risk Management Regime which can provide protection against cyber-attacks.
- Guidance on cybersecurity for small businesses and for charities;
- Using passwords to protect your data;
- Penetration testing;
- Guidance on end-user device security; and
- Guidance on keeping your smartphones and tablets safe.
The OWASP Foundation maintains the OWASP Top 10.
The European Union Agency for Cybersecurity (ENISA) also has guidance on data protection and security, including a ‘Handbook’ on security of personal data and guidelines for SMEs.
B.5 Staff awareness and training
You give your staff appropriate support to help them manage personal data securely, including the technology they use. This includes relevant training and awareness as well as provision of the tools they need to effectively undertake their duties in ways that support the security of personal data.
Staff should be provided support so that they do not inadvertently process personal data (eg by sending it to the incorrect recipient).
Other resources
10 Steps to Cyber Security is about user education and awareness.
C. Detect security events
You can detect security events that affect the systems that process personal data and you monitor authorised user access to that data.
C.1 Security monitoring
You appropriately monitor the status of systems processing personal data and monitor user access to personal data, including anomalous user activity.
You record user access to personal data. Where unexpected events or indications of a personal data breach are detected, you have processes in place to act upon those events as necessary in an appropriate timeframe.
Other resources
D. Minimise the impact
You can:
- minimise the impact of a personal data breach;
- restore your systems and services;
- manage the incident appropriately; and
- learn lessons for the future.
D.1 Response and recovery planning
You have well-defined and tested incident management processes in place in case of personal data breaches. You have mitigation processes in place that are designed to contain or limit the range of personal data that could be compromised following a personal data breach.
Where the loss of availability of personal data could cause harm, you have measures in place to ensure appropriate recovery. This should include maintaining (and securing) appropriate backups.
Other resources
NCSC guidance on backing up your data.
D.2 Improvements
When a personal data breach occurs, you take steps to:
- understand the root cause;
- report the breach to the ICO and, where appropriate, affected individuals;
- where appropriate (or required), report to other relevant bodies (for example, other regulators, the NCSC and/or law enforcement); and
- take appropriate remediating action.
Further reading – ICO guidance
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of EU version of the GDPR.
WP29 published guidelines on personal data breach notification, which the EDPB endorsed in May 2018.
EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.