Cybersecurity and GDPR

Under the General Data Protection Regulation (GDPR) you must process personal data securely. Personal data is information that can be used to identify people. All solicitors hold personal data.

You must protect personal data against:

  • unauthorised or unlawful processing
  • accidental loss
  • destruction
  • damage

You must consider data protection:

  • at the start of any processing activity
  • during the processing

Data processing

Systems that handle personal data must comply with data protection by design and default. We recommend following these principles for all data processing purposes.

Data protection by design

You must consider privacy and data protection issues at the design phase of any system and throughout data processing.

This could be, for example, when you:

  • develop new IT systems
  • use personal data for new purposes
  • create processes that may affect the privacy of data

Read more on data protection by design

Privacy enhancing technologies (PETs) can help you apply ‘data protection by design’ in your firm. PETs protect privacy by minimising personal data use and maximising data security. They also empower data subjects by giving them the ability to manage and protect their personal data.

Read ENISA’s research reports on PETs

Read the Royal Society’s report on protecting privacy in practice (PDF 2.8 MB)

Data protection by default

To comply with the GDPR, you must only process data which is ‘necessary’ for your specific purpose.

Before the processing starts, data protection by default means you need to:

  • specify the data you’re using
  • tell the data subjects
  • only process the data you need for your purpose

You should also consider:

  • using a ‘privacy-first’ approach for system settings
  • giving data subjects enough choice and control over how their data is used
  • not processing additional personal data unless the data subject agrees
  • making sure personal data is not made publicly available unless the data subject agrees

Read more on data protection by default

Level of security

The level of security (or protection) you need for your data depends on the risks involved in your processing. To understand the risks, you should review how valuable, sensitive or confidential the data is.

You should also consider:

  • risks with your firm’s computer systems
  • how many staff can access personal data
  • risks involved with personal data held or used by a processor acting on your behalf

Read more information on security

Security requirements

You must have an ‘appropriate’ level of security to protect data. To achieve this, you should follow the NCSC and the Information Commissioner’s Office (ICO) security outcomes.

The security outcomes should:

  • manage security risk
  • protect personal data against cyber attacks
  • identify security events
  • minimise the impact of a data breach

Reporting a personal data breach

After a cyber attack, you need to check if personal data has been lost. If it has, you may need to report the breach to the ICO.

You must report a personal data breach within 72 hours of first finding out – even if this is outside working hours.

Read about when to report a personal data breach

> Next section: Cloud computing

> Back to contents list

Cybersecurity news digest

Stay up to date with all things cyber with our weekly cybersecurity and GDPR newsletter.


Risk and Compliance annual 2020

Join this conference to keep up-to-date on hot topics in legal risk and compliance.

Risk and Compliance annual 2020 > More