Compliance and Risk Management Solutions for independent Motor Dealerships.
Established in 2004

Information Security


At a glance

  • A key principle of the UK GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.
  • Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.
  • You also have to take into account additional requirements about the security of your processing – and these also apply to data processors.
  • You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
  • Where appropriate, you should look to use measures such as pseudonymisation and encryption.
  • Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
  • The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
  • You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements.
  • We have worked closely with the National Cyber Security Centre (NCSC) to develop an approach that you can use when assessing the measures that will be appropriate for you.

In brief

Security outcomes

GDPR Guide.pdf (6.13MB)
GDPR Guide.pdf (6.13MB)

 How well do you comply with data protection law: an assessment tool for small business owners and sole traders


About the Guide to the GDPR
What's new
Key definitions


Lawful basis for processing

Individual rights

 Right to be informed

 Accountability and governance


Personal data breaches


National security and defence