GDPR – new guidance on “Appropriate measures”

Following the introduction of the GDPR on 25 May 2018, the National Cyber Security Centre and the Information Commissioner’s Office has published new guidance in the form of technical security outcomes which are considered to represent “appropriate measures” under Article 5 (1) (f) of the GDPR.

For those of you not familiar with Article 5 (1) (f), this is the section that requires personal data to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate or technical or organisational measures.

The new guidance is aimed at industry, local Government and central Government departments together with those involved with their chains of supply.

The upshot of the guidance is that it confirms what is “appropriate”, and depends on the relevant circumstances, the processing being undertaken and the risks associated with it.

The guidance provides four main aims being:-

  1. Managing security risks;
  2. Protecting personal data against cyber-attacks;
  3. Detecting security events;
  4. Minimising the impact of data breaches.

The new guidance also describes the relevant steps that should be taken following a personal data breach.

The guidance can be found here https://www.ncsc.gov.uk/guidance/gdpr-security-outcomes.

If you have any questions in relation to the GDPR or following this guidance, please do not hesitate to contact the writer, Mr Graham Mead, on 01473 230033.