This guidance describes a set of technical security outcomes that are considered to represent appropriate measures under the GDPR. It has been developed jointly between the Information Commissioners Office (ICO) and the NCSC.
What does the GDPR say about security?
The GDPR requires you to process personal data securely. Article 5(1)(f) concerns ‘integrity and confidentiality’ of personal data – in short, it is the GDPR’s ‘security principle’. It states that personal data shall be:
‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’
The aim of this guidance is to describe an overall set of outcomes that are considered ‘appropriate’ to prevent personal data being accidentally or deliberately compromised.
Data protection and security of processing
Alongside the security principle, the GDPR contains further specific provisions.
It makes data protection by design a legal requirement (previously known as ‘privacy by design’). Article 25 mandates that, at the time of the determination of the means of the processing (i.e. the design phase of any processing operation) and at the time of the processing itself, organisations shall put in place appropriate technical and organisational measures designed to implement data protection in an effective manner, and to integrate the necessary safeguards into the processing.
Whether you’re a controller or a processor, you also have specific security obligations under Article 32, ‘Security of processing’. These require you to put in place appropriate technical and organisational measures to ensure a level of security of both the processing and your processing environment
These provisions turn what is considered good security practice into a legal minimum. They go further than the obligations of the Data Protection Act 1998 and introduce established information security concepts into data protection legislation, including:
- Minimisation of personal data collected
- Managing, limiting and controlling access to personal data
- Protecting the classic ‘CIA triad’ (confidentiality, integrity, and availability) of personal data
- Resilience of processing systems and services, and the ability to restore availability to personal data in the event of an incident
- Regular testing of the effectiveness of measures implemented
The measures you implement should be appropriate to the risk presented.
Accountability and our responsibility as data controllers
The accountability principle requires you to be able to demonstrate that your processing is done in compliance with the GDPR. It has direct relevance to your responsibility as a data controller.
This requires you to implement appropriate technical and organisational measures to ensure, and be able to demonstrate, that processing of personal data is performed in accordance with the GDPR.
What are appropriate technical and organisational measures?
The GDPR requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of the processing. This reflects both the GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to security.
This means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents.
This guidance sets out a set of security outcomes that could form the basis of describing appropriate technical and organisational measures to protect personal data. Whilst there are minimum expectations, the precise implementation of measures must be appropriate to the risks faced.
Why security outcomes?
It may seem like there is a lot of confusion as to the technical security required to comply with your data protection obligations. There is lots of detailed guidance available, but it may not be immediately clear what you must put in place, what is simply a suggested approach and what is relevant to you and your circumstances.
The outcomes intend to provide a common set of expectations that you can meet, either through following existing guidance (such as our Small Business Guide or the ICO’s A Practical Guide to IT Security), using particular services or, if you are sufficiently competent, development of your own bespoke approach
An outcomes-based approach also enables scaling to any size or complexity of organisation or data processing operation. The outcomes remain constant – it is how they are implemented that differs.
The approach has been developed in accordance with the following four aims:
- A) Manage security risk
- B) Protect personal data against cyber attack
- C) Detect security events
- D) Minimise the impact
Each outcome is summarised under its respective aim, with specific reference to the data protection context following.
A) Manage security risk
You have appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to personal data
You have appropriate data protection and information security policies and processes in place. If required, you ensure that you maintain records of processing activities, and have appointed a Data Protection Officer.
A.2 Risk management
You take appropriate steps to identify, assess and understand security risks to personal data and the systems that process this data.
GDPR emphasises a risk-based approach to data protection and the security of your processing systems and services. You must take steps to assess these risks and include appropriate organisational measures to make effective risk-based decisions based upon:
- the state of the art [of technology]
- cost of implementation
- the nature, scope, context and purpose of processing’, and
- the severity and likelihood of the risk being realised.
Beyond this, where the processing is likely to result in a high risk to the rights and freedoms of individuals, you must also undertake a Data Protection Impact Assessment (DPIA) to determine the impact of the intended processing on the protection of personal data. The DPIA should consider the technical and organisational measures necessary to mitigate that risk. Where such measures do not reduce the risk to an acceptable level, you need to have a process in place to consult with the ICO before you start the processing.
A.3 Asset management
You understand and catalogue the personal data you process and can describe the purpose for processing it. You also understand the risks posed to individuals of any unauthorised or unlawful processing, accidental loss, destruction or damage to that data.
The personal data you process should be adequate, relevant and limited to what is necessary for the purpose of the processing, and it should not be kept for longer than is necessary.
A.4 Data processors and the supply chain
You understand and manage security risks to your processing operations that may arise as a result of dependencies on third parties such as data processors. This includes ensuring that they employ appropriate security measures.
In the case of data processors, you are required to choose those that provide sufficient guarantees about their technical and organisational measures. The GDPR includes provisions where processors are used, including specific stipulations that must feature in your contract.
B) Protect personal data against cyber attack
You have proportionate security measures in place to protect against cyber attack which cover:
- the personal data you process and
- the systems that process such data
B.1 Service Protection Policies and Processes
You should define, implement, communicate and enforce appropriate policies and processes that direct your overall approach to securing systems involved in the processing of personal data.
You should also consider assessing your systems and implementing specific technical controls as laid out in appropriate frameworks (such as Cyber Essentials).
B.2 Identity & Access Control
You understand, document and manage access to personal data and systems that process this data. Access rights granted to specific users must be understood, limited to those users who reasonably need such access to perform their function and removed when no longer needed. You should undertake activities to check or validate that the technical system permissions are consistent with your documented user access rights.
You should appropriately authenticate and authorise users (or automated functions) that can access personal data. You should strongly authenticate users who have privileged access and consider two-factor or hardware authentication measures.
You should prevent users from downloading, transferring, altering or deleting personal data where there is no legitimate organisational reason to do so. You should appropriately constrain legitimate access ensure there is an appropriate audit trail.
You should have a robust password policy which avoids users having weak passwords, such as those trivially guessable. You should change all default passwords remove or suspend unused accounts.
B.3 Data Security
You implement technical controls (such as appropriate encryption) to prevent unauthorised or unlawful processing of personal data, whether through unauthorised access to user devices or storage media, backups, interception of data in transit or at rest or accessing data that might remain in memory when technology is sent for repair or disposal.
B.4 System Security
You implement appropriate technical and organisational measures to protect systems, technologies and digital services that process personal data from cyber attack.
Whilst the GDPR requires a risk-based approach, typical expected examples of security measures you could take include:
- Tracking and recording of all assets that process personal data, including end user devices and removable media.
- Minimising the opportunity for attack by configuring technology appropriately, minimising available services and controlling connectivity.
- Actively managing software vulnerabilities, including using in-support software and the application of software update policies (patching) and taking other mitigating steps, where patches can’t be applied.
- Managing end user devices (laptops and smartphones etc) so that you can apply organisational controls over software or applications that interact with or access personal data.
- Encrypting personal data at rest on devices (laptops, smartphones, and removable media) that are not subject to strong physical controls.
- Encrypting personal data when transmitted electronically.
- Ensuring that web services are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the OWASP Top 10.
- Ensuring your processing environment remains secure throughout its lifecycle.
You also undertake regular testing to evaluate the effectiveness of your security measures, including virus and malware scanning, vulnerability scanning and penetration testing as appropriate. You record the results of any testing and remediating action plans.
Whatever security measures are put in place, whether these are your own or whether you use a third party service such as a cloud provider, you remain responsible both for the processing itself, and also in respect of any devices you operate.
B.5 Staff awareness & training
You give staff appropriate support to help them manage personal data securely, including the technology they use. This includes relevant training and awareness as well as provision of the tools they need to effectively undertake their duties in ways that support the security of personal data.
Staff should be provided with support to ensure that they do not inadvertently process personal data (eg by sending it to the incorrect recipient).
C) Detect security events
You can detect security events that affect the systems that process personal data and you monitor authorised user access to that data
C.1 Security monitoring
You appropriately monitor the status of systems processing personal data and monitor user access to that data, including anomalous user activity.
You record user access to personal data. Where unexpected events or indications of a personal data breach are detected, you have processes in place to act upon those events as necessary in an appropriate timeframe.
D) Minimise the impact
- minimise the impact of a personal data breach
- restore your systems and services
- manage the incident appropriately
- learn lessons for the future
D.1 Response and recovery planning
You have well-defined and tested incident management processes in place in case of personal data breaches. You have mitigation processes are in place that are designed to contain or limit the range of personal data that could be compromised following a personal data breach.
Where the loss of availability of personal data could cause harm, you have measures in place to ensure appropriate recovery. This should include maintaining (and securing) appropriate backups.
When a personal data breach occurs, you take steps to:
- understand the root cause
- report the breach to the Information Commissioner and, where appropriate, affected individuals
- Where appropriate (or required), report other relevant bodies (for example, other regulators, the NCSC and/or law enforcement) and
- take appropriate remediating action.