GDPR Cybersecurity Compliance: Technical Measures for UK Businesses

What Article 32 requires in practice

Article 32 of UK GDPR requires data controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The regulation does not prescribe specific technologies — it requires proportionate controls based on the nature of the data processed, the risks involved, and the state of the art in security technology.

This flexibility is practical but creates genuine uncertainty for businesses trying to understand whether their technical controls are sufficient. The ICO's guidance, enforcement decisions, and the broader context of the Cyber Essentials scheme all point to a consistent set of baseline technical controls that the regulator expects to see in place.

Control 1: Encryption

Encryption is the most directly referenced technical control in Article 32, which specifically mentions pseudonymisation and encryption as examples of appropriate measures. In practice, this means:

• Encryption at rest: Personal data stored on devices, servers and cloud storage should be encrypted. Microsoft 365 encrypts data at rest by default within its platform. Devices holding personal data — laptops, mobile devices, USB drives — should use full-disk encryption (BitLocker on Windows, FileVault on macOS).
• Encryption in transit: Personal data transmitted across networks should be encrypted using TLS. This applies to web applications (HTTPS), email (TLS between servers), API communications, and remote access connections (VPN or TLS-based remote desktop).
• Portable media: The most common ICO-reported breach involving encryption failures is the loss of an unencrypted USB drive or laptop. Encrypted removable media policies and full-disk encryption on all mobile devices materially reduce this risk.

Control 2: Access controls and least privilege

Limiting who can access personal data to those with a business need — the principle of least privilege — is a direct requirement of Article 5(1)(f) (integrity and confidentiality) and Article 32. Practical implementation includes:

• Role-based access control: permissions granted by job function rather than individually assigned
• Regular access reviews: confirming that access permissions remain appropriate, particularly when staff change roles or leave
• Offboarding procedures: prompt revocation of all access when an employee leaves
• Privileged access management: ensuring that administrative accounts with elevated permissions are used only when needed and are subject to enhanced monitoring

Control 3: Multi-factor authentication

MFA is not explicitly named in Article 32, but the ICO has made clear in its enforcement decisions and guidance that the absence of MFA on systems holding personal data is likely to constitute a failure to implement appropriate technical measures, particularly in high-risk contexts. MFA should be enabled on:

• Email accounts (the most common initial access vector)
• Cloud platforms including Microsoft 365, Google Workspace, Salesforce, HR systems and finance software
• VPN and remote access connections
• Administrative interfaces and management consoles

Control 4: Patch management

Unpatched software vulnerabilities are a primary attack vector in data breaches. A systematic patch management process — with documented timescales for applying critical and high-severity patches — is expected by the ICO. Critical patches to internet-facing systems should be applied within 14 days or sooner. Devices still running end-of-life operating systems with no security support present a clear compliance risk.

Control 5: Backup and recovery

Article 32 specifically requires the ability to restore the availability and access to personal data in a timely manner following a physical or technical incident. This means tested backup and recovery capabilities are a direct legal requirement, not just a business continuity best practice.

The backup must be sufficient to meet your Recovery Time Objective — how long the business can operate without access to the data before the disruption becomes an Article 32 risk — and must be protected against the same threats as the primary data. A backup on the same network as the data it protects offers limited protection against ransomware.

Control 6: Security monitoring and logging

Article 32 requires ongoing testing and evaluation of the effectiveness of technical and organisational measures. In practice, this requires logging of access to systems holding personal data, monitoring for anomalous behaviour, and a process for reviewing logs and acting on findings. Microsoft 365 provides audit logging for Exchange, SharePoint and Teams that should be enabled and retained for a minimum of 90 days — preferably longer for organisations with higher risk profiles.

Documenting your technical controls

The accountability principle under UK GDPR requires organisations not just to implement controls but to document them and be able to demonstrate compliance. This means maintaining records of the technical measures in place, evidence that they are working (for example, patch compliance reports, access review outcomes, backup test results), and a process for regularly reviewing their adequacy.

AMVIA implements and documents UK GDPR-compliant technical controls for UK businesses, providing the evidence trail that supports accountability and, in the event of an ICO inquiry, demonstrates that appropriate measures were genuinely in place.