Information Security

At a glance

• A key principle of the UK GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.
• Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.
• You also have to take into account additional requirements about the security of your processing – and these also apply to data processors.
• You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
• Where appropriate, you should look to use measures such as pseudonymisation and encryption.
• Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
• The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
• You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements.
• We have worked closely with the National Cyber Security Centre (NCSC) to develop an approach that you can use when assessing the measures that will be appropriate for you.

In brief

• What does the UK GDPR say about security?
• Why should we worry about information security?
• What do we need to protect with our security measures?
• What level of security is required?
• What organisational measures do we need to consider?
• What technical measures do we need to consider?
• What if we operate in a sector that has its own security requirements?
• What do we do when a data processor is involved?
• Should we use pseudonymisation and encryption?
• What are ‘confidentiality, integrity, availability’ and ‘resilience’?
• What are the requirements for restoring availability and access to personal data?
• Are we required to ensure our security measures are effective?
• What about codes of conduct and certification?
• What about our staff?

A practical guide to IT security.pdf (140.05KB)

A practical guide to IT security.pdf (140.05KB)

GDPR Guide.pdf (6.13MB)

GDPR Guide.pdf (6.13MB)

Bring your own device (BYOD).pdf (343.8KB)

Bring your own device (BYOD).pdf (343.8KB)

 How well do you comply with data protection law: an assessment tool for small business owners and sole traders

About the Guide to the GDPR
What's new
Key definitions

• What is personal data?
• Controllers and processors

Principles

•  Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability principle

Lawful basis for processing

•  Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests
• Special category data
• Criminal offence data

Individual rights

 Right to be informed

• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision making including profiling

 Accountability and governance

• Contracts
• Documentation
• Data protection by design and default
• Data protection impact assessments
• Data protection officers
• Codes of conduct
• Certification
• Data protection fee

Security

• Encryption
• Ransomware and data protection compliance
• Passwords in online services

Personal data breaches

• International transfers after the UK exit from the EU Implementation Period
• International data transfer agreement and guidance

Exemptions

• Immigration exemption

National security and defence