The security requirements of the UK GDPR are broad, leaving many organisations scratching their heads about what’s actually “appropriate”. This article discusses the challenges in enforcing UK GDPR security standards and the ICO’s interpretation of what organisations must do to comply. It elaborates on the principle-based nature of the regulation and the implications for different sectors and sizes of organisations.
UK GDPR security requirements
The ICO’s enforcement is guided by Article 32, which mandates that data controllers and processors implement appropriate security measures. The requirements vary significantly based on the nature of processing, costs involved, and the state of technology. Fortunately, organisations aren’t held to a strict liability standard
ICO / NCSC Guidance
The ICO adopts an outcomes-based approach to security, focusing on governance, risk management, and event detection. Notably, the ICO aligns its guidelines with the NCSC Cyber Assessment Framework, which provides a valuable guide for organisations looking to assess their security measures.
Outcomes based assessment
Utilising the Cyber Assessment Framework, organisations can assess their security posture through a colour-coded system (green, amber, red). However, achieving ‘green’ is challenging, and many may fall into ‘red’ simply due to a single negative indicator, which raises significant concerns about potential unfair enforcement outcomes.
ICO enforcement
ICO’s record of fines is relatively low compared to the number of reported breaches, likely due to its limited enforcement resources. The potential for strict liability by the back door exists as assessments may lead to red ratings based on minor security failings, raising the stakes for organisations.
MITRE CVE
Concerns are also emerging regarding the future of the Common Vulnerabilities and Exposures (CVE) database, crucial for identifying security risks. The ICO’s reliance on CVEs for enforcement could present challenges moving forward if the program’s future is not secured.
Summary
Overall, the ICO is navigating the complexities of enforcing UK GDPR security provisions amidst various operational challenges and expectations from diverse organisations.
Key Points
- The ICO’s guidance allows for broad interpretation of ‘appropriate’ security measures under the UK GDPR.
- The enforcement relies on an outcomes-based approach, borrowing from the NCSC Cyber Assessment Framework.
- Organisations may struggle to achieve a ‘green’ security rating, risking unfair penalties based on minor failings.
- ICO fines are infrequent due to limited resources, not necessarily because of the severity of breaches.
- Concerns exist over the future of the CVE database, which is vital for the ICO’s enforcement actions.
Why should I read this?
This article is a must-read for anyone involved in data protection or cybersecurity in the UK. It breaks down the complexities of the UK GDPR’s security requirements, clarifies the ICO’s enforcement approach, and highlights the potential pitfalls organisations face. If you’re in the business of ensuring data security, you can’t afford to ignore this information!