GDPR and Cyber Security: What Every UK Business Must Know

GDPR is widely misunderstood as a bureaucratic exercise in cookie consent and privacy notices. It is that, but it is also something with sharper teeth: a legal framework that holds businesses directly accountable for the security of personal data they hold — and that empowers regulators to issue substantial fines when that security fails.

The cyber security obligations under GDPR are not optional extras. They are legal requirements, and the ICO — the UK’s data protection regulator — has demonstrated it will enforce them.

The Legal Foundation: Article 32

Article 32 of UK GDPR requires organisations to implement “appropriate technical and organisational measures” to protect personal data. The standard is deliberately flexible — it is calibrated to the nature, scope, and risk of the data being processed, not a single fixed checklist. A sole trader holding a client email list faces different obligations than a healthcare business processing medical records.

“Appropriate” does not mean perfect. It means proportionate to the risk. But it does mean documented, deliberate, and implemented — not theoretical.

The measures listed in Article 32 include pseudonymisation and encryption, the ability to ensure ongoing confidentiality and integrity of systems, the ability to restore access to data following an incident, and a process for regularly testing and evaluating security measures. If your business cannot demonstrate these, you are not compliant.

What Counts as a Data Breach Under GDPR

A data breach is not limited to hackers stealing a database. Under UK GDPR, a personal data breach is any incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

That includes:

• Ransomware encrypting records containing personal data
• An employee emailing a spreadsheet of customer details to the wrong recipient
• A laptop containing unencrypted data being stolen from a car
• Accidental deletion of records with no backup

The key question is not whether something went wrong — it is whether personal data was affected.

The 72-Hour Notification Requirement

If a breach is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware of it. This is a hard deadline and applies even if you do not yet have full details — you can supplement your report later.

Notification to affected individuals is required when the breach is likely to result in high risk: identity theft, financial loss, discrimination, or serious harm to reputation or wellbeing. The burden of notifying sits with the data controller — in most cases, the business.

Failure to notify, or notifying late, is itself a breach of GDPR and a factor the ICO considers when calculating fines.

What the ICO Expects to See

The ICO’s enforcement decisions provide a practical guide to what “appropriate” looks like. Investigations consistently look for:

Encryption: Personal data stored on devices or transmitted across networks should be encrypted. Laptops containing personal data that are lost or stolen without encryption present are a predictable, preventable incident.

Access controls: Only staff who need access to personal data for their role should have it. Access should be individual and auditable, not shared credentials or blanket access to entire file systems.

Patch management: Unpatched systems that are subsequently exploited attract regulatory interest. The ICO has been explicit that running outdated software is inconsistent with appropriate technical measures.

Incident response: You should have a documented process for identifying, containing, and reporting breaches. An ad hoc response that delays notification is harder to defend than a structured one that acts quickly even with incomplete information.

Staff training: Human error accounts for a significant proportion of breaches. The ICO expects businesses to train staff on data handling, phishing awareness, and reporting obligations.

The Fines Landscape

Under UK GDPR, fines can reach £17.5 million or 4% of global annual turnover, whichever is higher. These upper limits have been applied to large organisations: British Airways was fined £20 million following a 2018 breach affecting 400,000 customers, and Marriott International received a £18.4 million penalty in the same enforcement period.

For smaller businesses, the ICO typically applies proportionality — fines issued to SMEs run into tens or hundreds of thousands rather than millions. But reputational damage, the cost of notification, and legal fees often exceed the fine itself.

Achieving GDPR-Appropriate Cyber Security

Data mapping: Know what personal data you hold, where it is stored, who has access, and what the lawful basis for processing it is. You cannot protect what you have not identified.

Access control: Implement least privilege. Use individual named accounts. Review access rights regularly and remove them promptly when staff leave.

Encryption: Encrypt laptops and mobile devices. Use encrypted transmission (TLS) for email and web traffic. Consider encrypting databases containing sensitive records.

Staff training: Annual security awareness training that includes data protection obligations. Make reporting incidents easy and non-punitive — staff who fear consequences of reporting a mistake are more likely to conceal it.

Documented policies: Written policies for data handling, breach response, and acceptable use. These demonstrate intent and structure, both to the ICO and to clients who ask about your security posture.

Incident response plan: A documented, tested process for identifying and responding to breaches, including who makes the decision to notify the ICO and who drafts the notification.

UK GDPR vs EU GDPR Post-Brexit

Since the UK left the EU, UK GDPR operates as a separate but substantially equivalent framework under the Data Protection Act 2018. The practical obligations are almost identical. UK businesses transferring personal data to EU countries must ensure adequate safeguards are in place — the EU has granted the UK an adequacy decision, currently in force, which simplifies this. That decision is subject to review and is not guaranteed permanently.

If your business serves EU customers or processes EU residents’ data, EU GDPR may also apply to you in addition to UK GDPR.