Net Platforms

Featured Template

Making a Complete Cyber Security Checklist – Understanding Your Obligations Under the GDPR

Making a Complete Cyber Security Checklist – Understanding Your Obligations Under the GDPR


When approaching subject as complex and unwieldy as cyber security, it can be hard to know where to begin. There is no point-in-time action that can be taken, no quick fix to address your cyber security challenges once and for all, so how should you approach the process of safeguarding your digital assets?


If your business processes or stores personal data of any kind, then you’ll likely be familiar with the GDPR, or the UK’s post-Brexit interpretation: The Data Protection Act 2018. But what does this extensive body of legislation say about cyber security?


The GDPR’s article 5 – ‘Principles relating to the processing of personal date’ – makes clear in what’s known as the ‘integrity and confidentiality’ principle, that organisations should protect personal data against ‘unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.’


The legislation repeats the phrase ‘technical and organisational measure’ many times throughout its length, without ever truly elaborating on what’s required. To help, we’ve pieced together a checklist of the key technical and organisational measures you should implement in order to satisfy this vital component of UK GDPR.


But first, what is meant by ‘appropriate’ in this context?


It simply means that the measures you take should correspond with the level of risk involved and aligned with industry best practice. The GDPR is a very reasonable piece of legislation, and acknowledges the fact that data processors face practical limits to the types of controls and protections they can put in place. To determine whether a measure is ‘appropriate’ consider the following:


  • The sensitivity level of the data. ‘Special category’ data for example should be subject to more sophisticated protections.
  • The level of risk the data is subject to (quantifiable using risk assessments).
  • Industry best practice. You should aim to implement the best protections feasible rather than those simply considered acceptable.
  • Cost of implementation.


For each ‘technical and organisational’ measure you institute, a corresponding supporting document should be created containing some of the above justifications to prove compliance. In essence: demonstrate that your measure offers protection that is proportionate to the risks involved.


Organisational measures


Organisational measures refer to the internal processes, practices, policies and activities that processors should instate and execute to facilitate the security of personal data. We often think of cyber security in terms of technical devices like antivirus software and firewalls, but organisational measures have an equally important role to play. Examples of key organisational measures include:


Business continuity planning


The GDPR is clear about the need for business continuity and backup solutions, with article 32 stating that data controllers and processors should ensure:


‘the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident’


A business continuity plan is a set of documents which outlines how your business intends to respond in the event of a disruptive event, such as a cyber-attack, robbery, flood or office fire. You should prepare documents for multiple eventualities, giving details of any backups systems that would be called upon to restore personal information. Your plan should also set out how you’d isolate and contain issues, to maintain the integrity of data which hasn’t yet been compromised.


Information Security Policies (ISP)


A comprehensive information security policy provides the framework for actionable measures, and ensures everyone in your organisation has a handbook on data security best practice. Broad and overarching, your ISP should contain information relating to:


  • Access and authentication. It should set out who has access to what data, and the authentication measures that should be in situ to control access.
  • Data classification. Your information security policy should set out the data types your organisation holds, the risk profiles attached to each and what this means in terms of processing and access.
  • Data backups. The policy should contain information relating to the various backup solutions that should be in place, plus details of additional protections like encryption.
  • Security awareness training. The ISP should detail any security awareness training staff are required to complete.
  • Employee responsibilities. The policy should contain a detailed account of all responsibilities that lie with employees in relation to your data security objectives. These responsibilities might include creating strong passwords, ‘acceptable use’ policies for mobile devices and ensuring physically documents are stored and disposed of securely.
  • Details of technical measures. The policy should list all the technical protection measures that data must be subject to at all times.


Risks assessments


Data security risk assessments are a vital component in ensuring GDPR compliance. A risk assessment is a procedure which enables you to expose, examine and quantify the risks your data is subject to. Every ‘technical and organisational’ measure you implement should be supported by a risk assessment so you can confidently assert that the protections in place are ‘appropriate’ as required by the integrity and confidentiality principle.


Security training and cyber security awareness


End-user targeted attacks constitute the most commonly encountered cyber security threat. It’s therefore extremely beneficial to have a programme of employee security awareness training in order to protect against the likes of phishing and other social engineering attacks. Details of security training should feature in your information security policies.


Regular audits


In addition to establishing a range of technical and organisational measures, you also have to test their efficacy by means of regular audits. The GDPR makes a specific provision for this in fact, with article 32 stating that data controllers and processors should implement:


‘a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.’


Such audits are vital to ensuring the measures in place are fit for purpose, and will help you prove to the information commissioner’s office that you have strived to meet data security obligations in good faith.


Due diligence checks


In the event that you outsource data processing activities to a third party, the onus is on you to ensure that they too have adequately implemented the necessary technical/organisational measures to protect data, as required by the GDPR. This should be established by means of thorough due diligence checks, a record of which should be retained.




With the maximum fine for UK GDPR infringement set at a whopping £17.5 million, ensuring compliance is not an issue to be taken lightly.  This article provides a cursory overview of the organisational measure required, the implementation of which will go some way to protecting the personal data you hold and demonstrate good faith engagement with the legislation. In our next article we’ll outline the ‘technical measures’ required by UK GDPR, so you can compare your data security architecture against the required standard.