GDPR and Cybersecurity: What UK Businesses Must Do

GDPR and Cybersecurity: The Legal Obligation

For UK businesses handling personal data, cybersecurity is not merely a best practice — it is a legal requirement. UK GDPR (the retained version of the EU General Data Protection Regulation, as amended by the Data Protection Act 2018) imposes a specific duty on organisations to protect personal data using appropriate technical and organisational security measures. A cybersecurity failure that results in a personal data breach is therefore both an operational incident and a potential regulatory violation.

According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, with 74% of large businesses reporting breaches (DSIT 2025). Any of these breaches that involved personal data — employee records, customer details, financial information, health data — potentially triggered GDPR obligations including mandatory reporting to the Information Commissioner's Office (ICO).

What Article 32 Requires

UK GDPR Article 32 does not prescribe a specific set of technical controls. Instead, it requires organisations to implement measures "appropriate to the risk," taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of data processing, as well as the likelihood and severity of risk to individuals. In practical terms, this means the ICO expects businesses to have implemented at least the baseline security controls appropriate for their size and the sensitivity of the data they hold.

Article 32 specifically mentions several categories of measure: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore access to personal data in a timely manner following an incident; and a process for regularly testing, assessing, and evaluating the effectiveness of security measures.

The NCSC's Cyber Essentials scheme is widely accepted as the baseline set of technical controls that demonstrates compliance with Article 32 for most SMEs. The five Cyber Essentials controls — firewall configuration, secure settings, access control, malware protection, and patch management — address the vast majority of common attack vectors that lead to data breaches.

ICO Enforcement: What Happens After a Breach

When the ICO investigates a data breach, it assesses whether the organisation had implemented appropriate security measures before the incident occurred. The investigation examines several key questions: Were basic technical controls in place, including MFA, patching, and access controls? Was the breach avoidable — could it have been prevented by controls that were available, affordable, and proportionate? Was the breach discovered promptly? Was the ICO notification made within the required 72-hour window? Were affected individuals notified where the breach posed a high risk to their rights?

The ICO has publicly stated that it takes a more lenient view of breaches where organisations had invested appropriately in security and responded promptly and transparently. Conversely, organisations with clearly inadequate controls, delayed notification, or poor incident management face more severe outcomes. The average cost of a data breach for UK organisations was £3.4 million (IBM 2024), encompassing not just regulatory penalties but also legal costs, remediation, business interruption, and reputational damage.

Significant ICO Enforcement Actions

The ICO has demonstrated its willingness to impose substantial fines for cybersecurity failures. Notable cases include a £20 million fine for British Airways following a data breach that exposed the personal and financial data of approximately 400,000 customers, and an £18.4 million fine for Marriott International after attackers accessed the records of approximately 339 million guests. For SMEs, fines are typically lower in absolute terms but can still be material relative to turnover — and the reputational damage from a published enforcement action can be equally significant.

The 72-Hour Breach Notification Obligation

Under UK GDPR Article 33, when a personal data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, the data controller must notify the ICO within 72 hours of becoming aware of it. This is 72 hours from awareness, not from the breach occurring. Given that many cyber incidents are not detected for days, weeks, or even months, early detection capability is directly relevant to compliance.

The notification to the ICO must include: the nature of the breach; categories and approximate numbers of individuals and personal data records affected; the name and contact details of the data protection officer or other contact point; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects. Where notification cannot be made within 72 hours, a documented reason for the delay must accompany the notification.

Where the breach is likely to result in a high risk to individuals — for example, exposure of financial data, health records, or information that could lead to identity fraud — those individuals must also be notified directly. The threshold for individual notification is higher than for ICO notification, but failure to notify when required is itself a regulatory violation. Only 14% of UK businesses have a formal incident response plan (DSIT 2025), meaning the vast majority of organisations would struggle to meet the 72-hour deadline without a pre-established procedure.

Technical Measures for GDPR Compliance

For most UK SMEs, practical GDPR security compliance starts with implementing the Cyber Essentials controls. These address the technical vulnerabilities most commonly exploited in breaches that the ICO investigates.

Access Control and Authentication

Implement MFA across all accounts, particularly Microsoft 365, VPN, and any cloud service accessible from the internet. With 85% of breaches involving phishing (DSIT 2025), credential theft is the most common pathway to a data breach that triggers GDPR obligations. MFA significantly reduces the risk of credential-based compromise.

Encryption

Encrypt all laptops, mobile devices, and portable storage. A lost or stolen encrypted device may not constitute a reportable breach because the data remains inaccessible. An unencrypted device containing personal data that is lost or stolen almost certainly requires ICO notification and individual notification if the data is sensitive.

Patch Management

Maintain all operating systems and applications with current security patches. Unpatched vulnerabilities are a common finding in ICO investigations, and failure to apply available patches is difficult to justify as an "appropriate measure" under Article 32.

Endpoint Protection

Deploy and maintain current anti-malware and endpoint detection on all devices that access personal data. Ransomware attacks that encrypt personal data constitute a data breach under GDPR, even if the data is not exfiltrated, because availability has been compromised.

Email Security

Configure email filtering, DMARC/DKIM/SPF authentication, and phishing protection to reduce the risk of email-borne attacks that lead to data breaches. Email remains the primary attack vector for phishing and business email compromise.

Organisational Measures

Technical controls alone do not satisfy GDPR requirements. Businesses also need documented security policies that are communicated to staff, a formal breach response procedure including the 72-hour ICO notification process, regular staff training on data handling and breach recognition, data protection impact assessments (DPIAs) for high-risk processing activities, and data processing agreements with third-party suppliers who handle personal data on your behalf.

A formal data protection policy supported by actual, functioning technical controls is far stronger than either alone. The ICO specifically looks for evidence that policies exist and are followed, not just that they have been written.

How AMVIA Supports GDPR Security Compliance

AMVIA's managed cybersecurity services are designed to implement and maintain the technical controls that satisfy GDPR Article 32 requirements. AMVIA configures MFA, endpoint protection, patching, email security, and encryption — the controls most directly relevant to preventing the breaches the ICO investigates most frequently. AMVIA supports Cyber Essentials certification as documentary evidence of appropriate technical measures, and provides incident response support including guidance on GDPR notification obligations when a security incident occurs. With 55,995 Cyber Essentials certifications issued in 2025 (NCSC), the alignment between Cyber Essentials and GDPR security obligations is well established across the UK business community.