GDPR and Cybersecurity: What UK Businesses Must Do

What GDPR Requires for Cybersecurity

UK GDPR does not prescribe a specific set of technical controls — instead, Article 32 requires organisations to implement measures appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature and volume of personal data processed. In practice, this means the ICO expects businesses to have implemented at least the baseline security controls appropriate for their size and the sensitivity of the data they hold.

The NCSC's Cyber Essentials scheme is widely accepted as the baseline set of technical controls that demonstrates compliance with the technical security obligations of UK GDPR for most SMEs. The five Cyber Essentials controls — firewall configuration, secure settings, access control, malware protection, and patch management — address the vast majority of common attack vectors.

Beyond Cyber Essentials, organisations processing sensitive personal data (health data, financial data, criminal records) are expected to apply additional measures commensurate with the higher risk. This may include data encryption, more granular access controls, enhanced monitoring, and formal data protection impact assessments (DPIAs) for high-risk processing activities.

The 72-Hour Breach Reporting Obligation

Under UK GDPR Article 33, when a personal data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, the data controller must notify the ICO within 72 hours of becoming aware of it. This is not 72 hours from the breach occurring — it is 72 hours from awareness. Given that many cyber incidents are not detected immediately, early detection capability is directly relevant to compliance.

The notification must include: the nature of the breach; categories and approximate numbers of individuals and records affected; the name of the data protection officer or contact point; likely consequences of the breach; and measures taken or proposed to address it. Where notification cannot be made within 72 hours, a reason for the delay must be provided alongside the notification.

Where the breach is likely to result in a high risk to individuals, those individuals must also be notified directly — not just the ICO. The bar for individual notification is higher than for ICO notification.

What the ICO Looks for After a Breach

When the ICO investigates a breach, it assesses whether the organisation had implemented appropriate security measures before the incident. Key questions include: Were basic controls in place — MFA, patching, access controls? Was the breach avoidable? Was the breach discovered promptly? Was the notification made within 72 hours? Were affected individuals notified where required?

Organisations that can demonstrate they had implemented appropriate controls — including Cyber Essentials-equivalent measures — and that they responded properly are treated more favourably than those that had inadequate controls or delayed notification. The ICO has stated publicly that it takes a more lenient view of breaches where organisations have invested appropriately in security and responded promptly.

Practical Steps for GDPR Security Compliance

For most UK SMEs, GDPR security compliance starts with implementing the Cyber Essentials controls — firewall configuration, secure settings, access controls (including MFA), malware protection, and patch management. These address the technical controls most relevant to the types of breaches the ICO most commonly investigates.

Beyond technical controls, businesses need documented security policies, a breach response procedure (including the 72-hour ICO notification process), and staff training on data handling and breach recognition. A formal data protection policy supported by actual technical controls is far stronger than either alone.

Key Considerations for UK SMEs

• Cyber Essentials certification provides documented evidence of baseline security controls — directly relevant to GDPR Article 32
• Implement MFA across all accounts — credential theft is the most common cause of data breaches that trigger GDPR notification
• Have a documented breach response procedure — the 72-hour clock starts when you become aware, so knowing what to do immediately is essential
• Encrypt laptops and mobile devices — a lost encrypted device may not constitute a reportable breach; an unencrypted one almost certainly does
• Review third-party supplier access — GDPR extends to processors who handle personal data on your behalf

How AMVIA Can Help

AMVIA helps UK businesses meet their GDPR security obligations through managed cybersecurity services aligned with Cyber Essentials. AMVIA configures MFA, endpoint protection, patching, and email security — the technical controls most directly relevant to preventing the breaches the ICO investigates most frequently. AMVIA can support Cyber Essentials certification as documentary evidence of appropriate technical measures. For businesses that experience a security incident, AMVIA provides incident response support including advice on UK GDPR notification obligations. Contact AMVIA on 0333 733 8050 to discuss your compliance requirements.