Information management and security—regulatory requirements
Information management and security—regulatory requirements

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Information management and security—regulatory requirements
  • General Data Protection Regulation (GDPR)
  • Computer Misuse Act 1990
  • Information Commissioner's Office
  • ISO
  • Information management and security policy
  • Consequences of a breach

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

General Data Protection Regulation (GDPR)

The GDPR imposes extensive requirements around information security, record-keeping and general information management.

For more guidance, see Practice Note: GDPR compliance—information security and Precedent: GDPR compliance self-audit.

The GDPR security principle

Data security is a cornerstone of the GDPR. You must process personal data in a manner that ensures appropriate security (using appropriate technical or organisational measures), including protection against:

  1. unauthorised or unlawful processing, and

  2. accidental loss, destruction or damage

The GDPR calls this the ‘integrity and confidentiality’ principle, although the Information Commissioner's Office (ICO) calls it the ‘security principle’.

Article 32(1) puts more flesh on the bones of the security principle—you are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation and the nature,