New data protection laws include tighter cyber security requirements

The recent official opening of the National Cyber Security Centre  re-emphasises the need for continued cyber security measures by all organisations, to protect against the risks of cyber attack and inadvertent data loss.

Taking appropriate security measures is also a feature of current data protection law.  The seventh data protection principle requires data controllers to take appropriate “technical and organisational measures” against unauthorised or unlawful processing of personal data and against accidental loss, or destruction of, or damage to, personal data.

The General Data Protection Regulation (GDPR) which will apply in the UK from 25 May 2018 contains various additional requirements designed to ensure that organisations implement appropriate security measures for the personal data they process.  The GDPR imposes positive requirements on organisations, and also carries the threat of substantial fines for organisations that do not comply.  For example, the GDPR:

  • Requires data controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including, amongst other matters, where appropriate:
    • The “pseudonymisation” and encryption of personal data;
    • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • The ability to restore the availability and access to personal data in a timely manner if there is a  physical or technical incident;
    • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of their data processing activities.
  • Specifies that in assessing the appropriate level of security, data controllers and processors shall take account in particular of the risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
  • Introduces requirements, subject to certain conditions, to notify data breaches to the relevant supervisory authority (in the UK, the Information Commissioner’s Office) without undue delay and where feasible within 72 hours.
  • Requires data breaches to be notified to affected data subjects where the data breach is likely to result in a “high risk” to the rights and freedoms of individuals.  There are certain exceptions, including where the data controller has implemented appropriate technical and organisational protection measures, which were applied to the personal data affected by the breach and which render the data unintelligible to anyone not authorised to access it, such as through encryption.
  • Requires data controllers to implement data protection “by design and by default”, so that the safeguards required by the GDPR are embedded into their activities.
  • Specifies that amongst the factors to be taken into account when setting fines under the regulation, “the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to” the requirements of privacy by design and by default, and as to security.  Fines under the GDPR can be up to 4% of global turnover or EUR 20M if greater.


Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.