Compliance

GDPR and Cybersecurity: What UK Businesses Must Do

UK GDPR requires businesses to implement appropriate technical and organisational security measures to protect personal data. A cybersecurity failure that results in a data breach is not just an operational problem — it is a legal obligation failure that can result in ICO investigation, fines, and reputational damage.

Overview

UK GDPR requires appropriate technical security measures to protect personal data. Breaches affecting personal data must be reported to the ICO within 72 hours if they pose a risk to individuals. Cyber Essentials provides a recognised baseline for demonstrating Article 32 compliance. 43% of UK businesses experienced a breach in 2025 (DSIT).

Learn about

This is the compliance side of managed cybersecurity: the point where a technical failure becomes a legal one. If you handle personal data on UK customers or staff, security is not a best practice you can defer — it is written into law.

Why is cybersecurity a legal obligation under GDPR?

For any UK business handling personal data, security is a statutory duty, not an optional control. UK GDPR — the retained EU regulation as amended by the Data Protection Act 2018 — requires "appropriate technical and organisational measures" to protect personal data. A cyber failure that exposes data is therefore both an incident and a potential regulatory breach.

According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, with 74% of large businesses reporting breaches (DSIT 2025). Any of those incidents involving employee records, customer details, or financial data potentially triggered GDPR obligations, including mandatory reporting to the Information Commissioner's Office.

What does UK GDPR Article 32 actually require?

Article 32 does not list a fixed set of controls. It requires measures "appropriate to the risk," judged against the state of the art, cost, and the sensitivity of the data you process. In practice, the ICO expects you to have the baseline controls a business your size and risk profile should reasonably hold.

The article names specific categories of measure:

  • Pseudonymisation and encryption of personal data
  • Ongoing confidentiality, integrity, availability, and resilience of systems
  • The ability to restore access to data promptly after an incident
  • A process to regularly test and evaluate the effectiveness of controls

The NCSC Cyber Essentials scheme is widely accepted as the baseline that demonstrates Article 32 compliance for most SMEs. Its five controls — firewalls, secure configuration, access control, malware protection, and patch management — cover the attack vectors behind most reportable breaches. AMVIA holds Cyber Essentials Plus, the independently audited tier of that scheme.

What happens after a breach? ICO enforcement explained

When the ICO investigates a breach, it asks whether appropriate measures were in place beforehand: were MFA, patching, and access controls present; was the breach avoidable with affordable, proportionate controls; was it detected promptly; and was the 72-hour notification met. Inadequate controls plus a poor response produce the worst outcomes.

The ICO takes a more lenient view where a business invested sensibly in security and responded transparently. Enforcement can still be substantial — and the published action itself often does more reputational damage than the fine. Notable cases reported by the ICO include:

  • A £20 million fine for British Airways after a breach exposed the personal and financial data of approximately 400,000 customers.
  • An £18.4 million fine for Marriott International after attackers accessed records of approximately 339 million guests.

The ICO can fine up to £17.5 million or 4% of global annual turnover for serious violations. For SMEs the absolute figures are lower, but they can still be material against turnover. The average cost of a UK data breach was put at £3.58 million (IBM 2024), covering legal costs, remediation, downtime, and lost trust as well as penalties.

What is the 72-hour breach notification rule?

Under UK GDPR Article 33, where a personal data breach is likely to risk individuals' rights, the controller must notify the ICO within 72 hours of becoming *aware* — not from when the breach occurred. Because many incidents go undetected for weeks, early detection capability is directly tied to whether you can meet the deadline at all.

The notification must set out the nature of the breach, the categories and approximate numbers of people and records affected, the likely consequences, and the measures taken to contain it. Where a breach poses a high risk — exposed financial data, health records, or identity-fraud risk — affected individuals must be told directly. Yet only 14% of UK businesses hold a formal incident response plan (DSIT 2024), so most would struggle to respond in time without a pre-built procedure. A defined incident response process is what makes the 72-hour clock survivable.

What technical measures meet GDPR Article 32?

For most UK SMEs, practical compliance starts with the technical controls that address the vulnerabilities the ICO most often finds in its investigations. The table below maps Article 32 expectations to the controls AMVIA configures.

Article 32 expectationControl requiredHow AMVIA implements it
Prevent unauthorised accessMFA on all accountsMFA across Microsoft 365, VPN, and cloud apps
Protect data at restDevice & disk encryptionBitLocker enforced on laptops, mobiles, and portable storage
Maintain system integrityPatch managementAutomated OS and application patching
Detect and contain malwareEndpoint protectionMicrosoft Defender endpoint security on all devices
Reduce email-borne attacksEmail authentication & filteringDMARC/DKIM/SPF and email security via the Barracuda suite

With 85% of breaches involving phishing (DSIT 2025), credential theft remains the most common route to a reportable breach — which is why MFA and email security carry the most weight. Encryption matters too: a lost *encrypted* device may not be a reportable breach at all, because the data stays inaccessible, while an unencrypted one almost certainly is.

What organisational measures does GDPR require?

Technical controls alone do not satisfy GDPR. The ICO looks for evidence that policies exist *and are followed*, not just written. Article 32 is paired with governance: documented security policies communicated to staff, a formal breach-response procedure covering the 72-hour notification, regular data-handling training, data protection impact assessments (DPIAs) for high-risk processing, and data processing agreements with suppliers who handle data on your behalf.

A documented policy backed by functioning controls is far stronger than either alone. This is where holding Cyber Essentials or IASME Cyber Assurance helps — it provides independent, documentary evidence that your "appropriate measures" are real rather than aspirational.

How does AMVIA support GDPR security compliance?

AMVIA's managed cybersecurity service implements and maintains the exact controls Article 32 expects — MFA, endpoint protection, patching, email security, and encryption — under one accountable provider. We support security certification as documentary evidence of those measures, and provide incident response support, including guidance on ICO notification obligations when an incident occurs.

The alignment between Cyber Essentials and GDPR security duties is well established across UK business: 49,248 security certifications were issued in 2025 (NCSC). One provider. Security-first. Microsoft-certified — so the technical controls and the compliance evidence come from the same place.

How much does GDPR-compliant security cost?

There is no single price, because the controls scale with your data and headcount. Most SMEs already own much of what they need: encryption and Defender endpoint protection are included in Microsoft 365 Business Premium at £16.90 per user/month (ex VAT, annual), against Business Standard at £9.60 and Business Basic at £4.60. The cost is rarely the licences — it is the configuration, monitoring, and evidence.

AMVIA's managed service layers configuration, 24/7 monitoring, and incident response on top of that licensing, so the Article 32 controls are not just bought but proven. Pricing depends on user count and scope; a free security audit establishes the baseline before any quote.

Key Points

What UK businesses need to know about GDPR cybersecurity obligations.

Legal Obligation to Secure Data

UK GDPR Article 32 requires appropriate technical and organisational measures — proportionate to the risk posed by the data you hold.

72-Hour Breach Reporting

If a cyber incident results in a data breach that risks individuals' rights, the ICO must be notified within 72 hours of becoming aware.

ICO Enforcement Includes Fines

The ICO can fine organisations up to £17.5 million or 4% of global annual turnover for serious GDPR violations, including security failures.

43% of UK Businesses Breached in 2025

43% of UK businesses experienced a cybersecurity breach in 2025 (DSIT). Any breach affecting personal data triggers GDPR obligations.

GDPR Security Checklist

MFA enforced on all accounts — credential theft triggers most data breach notifications

All laptops and mobile devices encrypted

Patching maintained — unpatched systems are a common ICO enforcement finding

Breach response procedure documented — 72-hour ICO notification process clear

Third-party supplier data processing agreements in place

Frequently Asked Questions

Demonstrate GDPR-Compliant Security

AMVIA implements the technical controls that meet UK GDPR's Article 32 security requirements — supports businesses through security certification as evidence of compliance.