Information security—data protection compliance
Information security—data protection compliance

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Information security—data protection compliance
  • The CIA triad
  • The UK GDPR security principle
  • The data security principle in practice
  • Assessing data security risk
  • Organisational measures to consider
  • Information security policy
  • Non-technical measures
  • Technical measures
  • Security certification and sector-specific security requirements
  • More...

Information security—data protection compliance

You must have appropriate security in place to prevent personal data being accidentally or deliberately compromised.

Information security is wider than cybersecurity (the protection of your networks and information systems from attack), as information security also covers things like physical and organisational security measures.

This Practice Note reflects requirements in the UK General Data Protection Regulation (UK GDPR) and ICO expectations, as set out in the ICO’s Guide to the UK GDPR, Security.

The CIA triad

The ICO guidance specifically refers to the ‘CIA triad’: confidentiality, integrity and availability.

If any of the three elements is compromised, there can be serious consequences—for you as a data controller and for the individuals whose data you process.

You are also required to ensure the resilience of your processing systems and services. Resilience refers to:

  1. whether your systems can continue operating under adverse conditions, eg a physical or technical incident, and

  2. your ability to restore them to an effective state

See the range of tools available in subtopic: Business continuity plan.

The UK GDPR security principle

Data security is a cornerstone of the UK GDPR. You must process personal data in a manner that ensures appropriate security (using appropriate technical or organisational measures), including protection against:

  1. unauthorised or unlawful processing, and

  2. accidental loss, destruction or damage

The UK GDPR calls this the ‘integrity and confidentiality’ principle, although the ICO calls

Related documents:

Popular documents