GDPR has been in force in the UK since 2018 — continuing under UK GDPR post-Brexit — and yet most small businesses still frame their compliance activity around the most visible requirements: privacy notices, consent mechanisms, cookie banners, and subject access request processes.
These are real requirements. But they're not where the ICO's enforcement activity primarily focuses when it comes to small organisations. The most common basis for ICO enforcement action against small businesses is inadequate technical and organisational security measures — a failure to protect personal data from unauthorised access, loss, or disclosure.
This guide explains what UK GDPR actually requires on security, where small businesses most commonly fall short, and what the ICO expects to see in terms of security measures.
What UK GDPR Actually Says About Security
Article 5(1)(f) of UK GDPR requires that personal data be processed "in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."
Article 32 expands on this, requiring that organisations implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk — taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to individuals.
The critical word in both provisions is "appropriate." What is appropriate depends on the risk. And the risk depends on what data you process, how you process it, and what the consequences would be if it were compromised.
The "Appropriate" Test in Practice
The ICO publishes guidance on what it considers appropriate security measures, and that guidance has become increasingly specific over time. For organisations processing significant volumes of personal data — which includes almost every GP surgery, law firm, accountancy practice, and HR function in the UK — "appropriate" now includes:
- Encryption: Personal data should be encrypted at rest and in transit. This applies to files stored on servers and laptops, emails containing personal data, and data transmitted between systems.
- Access controls: Staff should only be able to access personal data they need for their role. Privileged access should be limited and logged.
- Patch management: Systems processing personal data should be kept up to date. Known vulnerabilities left unpatched are a significant aggravating factor in ICO enforcement decisions.
- Monitoring and logging: Organisations should be able to detect breaches and investigate them. The ICO specifically references the ability to detect and respond to security incidents as a component of appropriate security.
- Staff training: Staff who handle personal data should be trained to do so securely and to recognise and report security incidents.
The 72-Hour Notification Requirement
Article 33 of UK GDPR requires that personal data breaches meeting certain thresholds be reported to the ICO within 72 hours of the organisation becoming aware of them. A breach is defined broadly: any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes ransomware attacks, unauthorised access to email accounts, theft of devices containing personal data, and accidental disclosure.
The 72-hour clock creates a practical problem for small organisations: discovering a breach and completing a meaningful assessment of its scope within 72 hours requires the ability to investigate quickly. Organisations without security monitoring typically can't determine what happened, when, what data was involved, or who had access — all of which the ICO notification form asks about — in 72 hours. The result is late notifications, which are themselves a compliance failure.
Continuous security monitoring, with a named analyst who can conduct rapid investigation, is what makes 72-hour notification achievable in practice.
The Accountability Principle: Demonstrating Compliance
Article 5(2) establishes the accountability principle: the controller "shall be responsible for, and be able to demonstrate compliance" with the data protection principles. This means that compliance isn't just about having controls in place — it's about being able to prove it.
In the context of security, demonstrable compliance means having records of the security measures you have in place, evidence that they're working, and documentation of how you respond to incidents. A monthly security report authored by a named analyst, a Confidence Score dashboard with timestamped records of your security posture, and audit documentation from a Cyber Essentials certification process together constitute exactly the kind of demonstrable compliance the ICO expects.
What the ICO Looks For When Things Go Wrong
The ICO's enforcement decisions and published guidance reveal a consistent set of factors that aggravate penalties for security breaches:
- No continuous monitoring capability — the organisation had no way of knowing the breach occurred
- Unpatched known vulnerabilities that were the entry point for the breach
- No multi-factor authentication on systems holding personal data
- Lack of staff training on security procedures
- Delayed notification — particularly where the delay was caused by an inability to investigate
- No evidence of a documented security policy or risk assessment
Conversely, organisations that can demonstrate that they had appropriate technical controls in place, that they detected the breach promptly through their monitoring capability, and that they responded and notified within the required timeframe, typically receive significantly more favourable treatment — even when a breach has occurred.
The Practical Implication
GDPR's security requirements are not satisfied by a privacy notice and an annual awareness training course. They require ongoing, demonstrable technical measures that are proportionate to the risk of the data you process. For most small businesses that handle client records, health data, financial information, or HR data — which is most professional services businesses — that means continuous monitoring, documented controls, and the ability to detect and respond to incidents quickly.
Further Reading
Demonstrable Security. Not Just Promised.
SOC in a Box provides the continuous monitoring, monthly analyst reports, and Cyber Essentials certification that constitute demonstrable security under UK GDPR's accountability principle. Your named analyst's monthly report is the evidence your ICO response depends on.
Book your scoping call