What Are the Appropriate Technical Measures Under the UK GDPR?

Find out what technical measures you should implement in your business.

The UK GDPR mentions “appropriate technical and organisational measures” almost 100 times. What this means and covers, however, is not exactly clear.

This law consists of two key aspects: data security and protection. Data protection focuses on the legality of processing and collecting personal data. Data security, on the other hand, examines the security measures necessary to protect personal data from unauthorised access or misuse.

So, a technical and organisational measure refers to the controls taken to ensure data protection. In part one of this series, we focused on organisational measures, and below, we continue with the technical aspects.

Your Minimum Compliance Requirements (Article 32)

Before you determine suitable technical measures, you should first understand Article 32.

Article 32 of the GDPR outlines that data controllers and processors must implement technical and organisational measures to protect the personal data they process.

Your measures should protect data from (Article 32 (2)):

  • Accidental or unlawful destruction
  • Loss
  • Alteration
  • Unauthorised disclosure of personal data transmitted, stored or processed
  • Unauthorised access to personal data transmitted, stored or processed

The security measures you choose must be ‘appropriate’ to your processing activities and the associated risks. The UK GDPR considers an adequate level of protection to be able to:

  • Pseudonymise personal data
  • Protect the confidentiality, integrity, availability and resilience of processing systems and services.
  • Restore the availability and access to personal data in a timely manner following a physical or technical incident (see part one for more information).
  • Have a process for validating the effectiveness of technical and organisational measures.

Examples of  Technical Measures Under the GDPR

Please note that you should first conduct a risk assessment of your processing activities to determine which of these technical measures will be most effective for your circumstances.

With this in mind, we list the technical controls recommended by the ICO and the Cyber Essentials framework.

Physical Safety Measures

While the world is becoming increasingly digital, we still need to consider our security in the real world. Consider your office, home and anywhere else you work; you can be just as incident-prone here as you are online.

For example, your employees may have lost or had their equipment stolen, or perhaps hard-copy documents were misplaced, stolen, or improperly disposed of. These security incidents happen all the time.

As such, you should consider the following controls for keeping your physical location secure:

  • CCTV
  • Alarms and security lighting
  • Access control protocols
  • Visitor logs and ID badges
  • Protocols for disposing of paper and electronic waste

Cyber Security Measures

You also need to consider your cyber security posture, especially with new cyber threats and vulnerabilities on the rise.

Cyber security is a highly advanced field, so what you may need to consider will depend on the sophistication of your systems and the personal data they process. For the sake of this article, you should have measures for:

Infrastructure & System Security

You need to maintain the security of your internal networks, servers, cloud infrastructure and any other systems that process or store personal data.

Example measures:

  • Firewalls & intrusion detection systems
  • Patch management
  • VPN
  • Encryption
  • Access control
  • Strong password policies
  • Antivirus and anti-malware software

Data Security

Along with keeping your systems secure, you must also protect the personal data stored within them. Having the right technical controls will maintain the confidentiality, integrity and availability of this data.

You should consider:

  • Access controls – Only authorised users should have access to specific data. You should implement permissions based on job roles so that individuals only have access to the data they need to carry out their tasks.
  • Multi-factor authentication (MFA) – MFA is an extra layer of security that requires a user to verify their identity before gaining access to data or systems.
  • Encryption – Data encryption is a process of encoding information with a key. Only those with a decryption key can access this information, which prevents attackers from reading it if they get access. Refer to the ICO’s full guide on encryption for more details.
  • Data backups – You should back up your data regularly. Ensure it is stored and encrypted in a secure location, preferably outside of your workplace.
  • Data erasure – Do you have data you no longer need? Free up storage space and permanently remove personal data from your systems. (See ‘storage limitation’ for more information.)

Online Security

Your website, applications or any third-party online service you use needs to be secure. When not protected, they serve as easy entry points for cyber criminals to compromise customer data.

You may need to consider technical measures such as Secure Sockets Layer (SSL) certificates for encryption, web application firewalls, security plugins to scan for threats and conducting regular security updates.

There are many other ways to secure a website, which is best left to a third party to manage on your behalf.

Device Security

Whether personal or company-issued, your employees’ devices need to be protected at all times. Best practices include:

  • Implementing a Bring-Your-Own-Device (BYOD) policy for employees using a personal device
  • Antivirus software across all devices to detect, prevent and respond to cyber threats
  • Implementing Mobile Device Management software to manage, secure and monitor mobile devices remotely, so you can wipe data if a device is stolen or lost
  • Regularly updating devices with the latest software and security updates
  • Using VPNs to allow employees to securely access company servers

For more tips, refer to the National Cyber Security Centre (NCSC) guide on device security.

Do You Need to Test Your Security Measures?

Yes. Article 32 states that you must have “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures”. The tests you take and how often you do them will depend on your business’s circumstances.

You can assess the effectiveness of your measures using a vulnerability scan, penetration test, GDPR audit or through other techniques. These tests are best done externally, such as through a data protection consultancy, to avoid a conflict of interest.

You should document all the results and implement changes swiftly to minimise potential risks resulting in a personal data breach.

Speak to Our Data Protection Consultancy Today

Unsure whether you have the ‘appropriate’ technical and organisational measures in place? We can conduct a GDPR audit to identify areas of non-compliance, including weaknesses in your security controls.

We also provide cyber security services to help improve your technical controls, including GDPR support services to improve your overall compliance. Speak to our team to find out more.