UK GDPR Organisational Measures Checklist

What Are the Appropriate Organisational Measures Under the UK GDPR?

Find out what organisational measures you should implement in your business.

12,194. That’s the number of data breaches that were reported to the ICO in 2024. Even worse, these incidents don’t reflect the number of data subjects affected. A single breach could have a widespread impact on hundreds of thousands of individuals.

Data breaches happen when data controllers and processors don’t have the “appropriate technical and organisational measures” (Article 32) to safeguard the personal data they hold.

Failing to implement the necessary measures goes against one of the seven principles that underpin the UK GDPR: security. To ensure you remain compliant, we cover all the provisions needed to protect personal data at an organisational level.

Read part two to find out which technical controls you need to implement.

Why Is Information Security Important?

Information security comes from the UK GDPR’s principle of ‘integrity and confidentiality’ (Article 5(1)(f)). Complying with this principle ensures you have the right security in place to minimise personal data from being breached unintentionally or maliciously.

Information security is simply good data protection practice. By not securing data, you expose individuals involved in a data breach to fraud, physical harm, intimidation, and undue distress. Regardless of the level of harm caused, the ICO will hold you accountable, resulting in substantial administrative fines.

Non-compliance could cost you up to £17.5 million or 4% of your total annual turnover, whichever is more. Are you willing to risk all this?

What Do You Need to Protect?

Your technical and organisational measures need to:

Keep data private and secure so that it is not accessed, altered, deleted or disclosed by unauthorised users
Maintain the accuracy and integrity of the data you process
Ensure data remains accessible at all times, e.g., data should be recoverable in the event of it being lost, altered or deleted

These three components are known as confidentiality, integrity and availability. They form part of your GDPR obligations, as well as your ISO 27001 compliance requirements.

Organisational Measures Checklist

Below, we outline several organisational measures to maintain data security:

Complete information risk assessments (DPIAs)
Build a culture of awareness
Identify a person in charge of compliance
Implement policies and procedures
Plan for the worst

For tailored advice, speak to our GDPR consultancy to ensure you choose actions suitable for your organisation.

1. Complete Information Risk Assessments (DPIAs)

One way to demonstrate your accountability is through regular risk assessments, which help identify and mitigate problems before they escalate.

These risk assessments are otherwise known as data protection impact assessments (DPIAs). You complete a DPIA when processing personal data is “likely to result in a high risk” to the rights and freedoms of individuals. While the notion of ‘high risk’ isn’t entirely clear, there are multiple situations in which a DPIA is required.

A DPIA is conducted at the beginning of a project or before processing begins. Here, you will assess, identify and mitigate the risks involved in processing.

Outside of this, you should have a process in place to enable employees to report data protection concerns to a central contact such as a DPO. Doing this will improve accountability across your organisation.

2.Build a Culture of Awareness

GDPR compliance starts from within your organisation. Your employees need to understand their data protection obligations and the actions they must take to maintain compliance.

This forms part of your GDPR training programme, which should cover topics including:

Introduction to data protection
Handling subject access requests
Data sharing
Information security
Personal data breach management
Records management, e.g., RoPA and DPIA training

This training should be conducted during inductions, as well as through regular refreshers, to ensure employees’ knowledge and skills remain up to date. An appropriate trainer, such as a data protection officer (DPO) or Data Champion, should oversee and conduct the training.

3. Identify a Person in Charge of Compliance

The ICO states that you should have “a person with day-to-day responsibility for information security within your organisation.” These people include executive leadership, IT departments and your wider team. Essentially, everyone is responsible for data security and protection.

If applicable, you may have an in-house or outsourced data protection officer. These DPOs act as advisors for your GDPR obligations, monitoring compliance and providing support with training and GDPR audits.

Your DPO will work independently, meaning that GDPR compliance is their sole priority. If you already have an internal DPO, they may require additional help, either on an ad-hoc basis or by outsourcing another DPO.

Worried your internal team is struggling? Here are the five telltale signs that outsourcing your DPO might be the answer to all your problems.

4. Implement Policies & Procedures

An appropriate organisational measure is to have an information security policy to help demonstrate your compliance with the security principle. The scope of these documents depends on the size of your business and processing activities, so you may not require a formal policy.

You will, however, already have GDPR documentation in place that will support information security, such as:

Data retention policy
Data retention schedule
Data breach notification & response procedure
Data sharing agreement

You may also have a Bring Your Own Device (BYOD) and remote access policy to set standardised controls for employees using personal devices or working at home.

5. Plan for the Worst

An essential aspect of information security is availability. This refers to restoring access to personal data even after a physical or technical incident (Article 32(1)(c)).

You should have a business continuity and disaster recovery plan that outlines how you’ll maintain your critical functions and protect personal data during an incident or disaster.

Along with these plans, you will also back up copies of online data, software and systems to ensure you can minimise the loss of personal data.

Get in Touch With Our Data Protection Consultants Today

Worried about which steps to take next? Our data protection consultancy can help you implement the appropriate measures to maintain GDPR compliance.

Speak to our team today to get started.

Cyber Security Services

PCI DSS

ISO 27001

Cyber Security Consultancy

Cyber Security Support

Pentesting

External Attack Surface Management

Data Protection Services

SAR Support

Data Protection Support

Outsourced DPO

Data Protection Consultancy

Information Management Software

GDPR Training

GDPR Audits

GDPR Representative

GDPR Documentation

GDPR Toolkit

Information Rights Request

24/7 Support whenever you need it