You are here:
  1. Home
  2. Support services
  3. Practice management
  4. Advice and guidance on GDPR compliance
  5. How to prepare for the GDPR part 4: Cybersecurity

How to prepare for the GDPR part 4: Cybersecurity

28 February 2018

This is the fourth of a five-week series of articles on how to prepare for the GDPR.

Week 3 focuses on the lawful processing of data.

This week we look at cybersecurity and the GDPR.

Cybersecurity and the GDPR

The GDPR requires organisations to take appropriate technical and organisational measures to ensure a level of security that reflects their risks in processing personal data. This is similar to organisations’ current obligations under the Data Protection Act, but there are some differences for which you should prepare.

General approach

As with overall GDPR compliance, you should consider appointing someone with sufficient seniority and expertise to lead your work on cybersecurity. You should also consider drawing up an information security policy that addresses your firm’s overall information security needs. This will clearly encompass your processing of personal data under the GDPR, but should also cover information assets that comprise non-personal data.

You may also wish to ensure that your policy covers physical and personnel security procedures.

Data breach notification

You should familiarise yourself with your obligations to notify a personal data breach to the Information Commissioner’s Office no later than 72 hours after becoming aware of it (and, in certain circumstances, to notify a personal data breach to data subjects). Mandatory data breach notification is a new obligation and failure to notify carries heavy penalties.


The GDPR explicitly refers to pseudonymisation and encryption of data as potentially appropriate mechanisms for ensuring the security of personal data. Amongst other measures it mentions are:

  • ensuring the ongoing confidentiality, integrity, availability and resilience of your processing systems and services
  • having the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • having a process for regularly testing, assessing and evaluating the effectiveness of your technical and organisational measures for ensuring the security of your processing.


A range of cyber security resources are available to help you. You should familiarise yourself with the guidance, products and services of the National Cyber Security Centre, including its guide for small businesses; the Cyber Essentials Scheme and the Cybersecurity Information Sharing Partnership (CiSP). You can also visit the Law Society’s cybersecurity and scam prevention webpages.

Further information

Our GDPR pages provide useful information on various elements of GDPR as well as external links which may be of use.

The Information Commissioner’s Office provides a guide on preparing for GDPR which should be your first stop as you work towards compliance.

We have provided guidance for law firms on when it may be necessary to appoint a data protection officer.

We encourage you to share useful information with your colleagues. Everyone in your firm will have some responsibility for GDPR compliance.


SRA handbook being replaced
SRA Standards and Regulations - Introduction to new package

The new SRA Standards and Regulations will become effective later this year replacing the existing SRA Handbook. Attend this one-hour live webinar where our speaker will talk you through the new package, clarify the new format and more.

SRA Standards and Regulations - Introduction to new package > More