This obligation to ensure security of processing is that organisations must have "appropriate technical and organisational measures in relation to personal data held in paper files and any stored digitally". Since the COVID-19 working from home restrictions, all organisations are working with digital data and online a lot more. The risk of cyber-attacks has increased as well. However the loss or misuse of paper files still attracts fines from the ICO on a regular basis and many solicitors still work with large amounts of paperwork.

Considerations in relation to security of processing

In order to minimise the risk of personal data being misused, access controls should be in place to restrict the access of individuals to personal data on a ‘need to know’ basis.

If you are introducing a new processing system then you should consider carrying out a Data Protection Impact Assessment. This will assist you to identify any risks in relation to data migration and the new system and will identify how to mitigate any risks. DPIAs are not covered in any detail in this guide but more information can be found on the ICO’s website.

IIn relation to cyber security the UK GDPR states that in deciding what security measures are appropriate, organisations should take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing in relation to security. This means in practice that the level of security measures that an organisation is expected to take will depend on the technology and the resources available to the organisation. The organisation should evaluate the inherent risks in the processing and implement measure to mitigate those risks.

In addition, the UK GDPR also states that this assessment should take into account the likelihood and severity of any impact on the data subjects if personal data was lost or stolen etc. and that the appropriate measures should be appropriate to the risk. The risks to be considered are those which could lead to physical, material or non-material damage and in particular this refers to discrimination; identify fraud or theft; financial loss; damage to reputation; loss of confidentiality where the information is protected by professional secrecy and any other significant economic or social disadvantage. Particular care must be taken over the data falling into the special categories.

In 2022 a firm of solicitors was fined £98,000 by the ICO in relation to a ransomware attack which resulted in 972,191 files being encrypted. This included 24,712 court bundles. 60 were released on the dark web. These files included a significant amount of personal data and special category personal data including health records, witness statements, the addresses of witnesses and victims and allegation of criminal conduct. The fine was issued in relation to a breach of the security principles because of the following failings:

  • Lack of multi factor authentication on remote desktops
  • Failing to patch the system against a vulnerability that had been known for 5 months; and
  • Failing to encrypt data in the firms archive server;

The ICO noted that given the volume and nature of the personal data held by the firm, the security contraventions created risks that were serious enough to justify enforcement action and a fine.

Security Considerations set out in the UK GDPR

Article 32 provides that consideration of security measures should include the following. None of these are prescribed but should be considered when deciding on what is appropriate for your firm, given the data that you process.

There is some excellent and accessible guidance on the National Cyber Security Centre’s website which is tailored to different types and sizes of organisations.

Pseudonymisation and anonymisation

Pseudonymised data is data which has had the personally identifiable features removed but which can be combined with other data to re-identify the individual. This can reduce the risk of personal data being lost or unlawfully accessed if the additional information for attributing the data is kept separately. Anonymised data cannot be linked to any individual and if information is truly anonymised, data protection laws do not apply to it.


The ICO encourages making sure that any personal data being transferred digitally, whether by email or on a removable device, including laptops, is encrypted. This will reduce the likelihood of it being accessed if lost or stolen and may mean that there is no requirement to report the loss of such items.

Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems

At the moment, the ICO recommends the following basic requirements in relation to cyber security and more information is available in the Law Society of Scotland’s guide to cyber security.

The ability to restore the availability of data in a timely manner

All organisations of any nature are vulnerable to cyber-attacks and in particular the use of ransomware attacks has increased, where any business who relies on technology can be a target. The most common example is where malicious software gets into your IT system and encrypts the server. This could be through an email, downloading malicious files by mistake or the use or unsafe removable devices. A ransom is then sought from the business with the promise of the return of the de-encrypted data if the ransom is paid. These organisations are often involved in serious and organised crime and therefore any ransom will fund more of that and you are not guaranteed to get your data back.

The NCSC’s advice is to have a robust data backup strategy in place to protect against disasters such as fire and flood but also malware, such as ransomware. Back-ups should be tested to make sure they are working as expected and that you know how to restore files. Back-ups should not be stored in a way that makes them permanently visible to the rest of the network. If they are then, they can also be encrypted by the malware or the files could be lost anyway. At least one of your back-ups should be off-site.

Have a process for testing security measures regularly

Regular vulnerability scans and penetration tests should be carried out on your systems for known vulnerabilities and to make sure that any issues identified are addressed.

Staff training
  • People are the weakest security link and staff should be trained in relation to data protection and security. Training should cover:
  • What is expected of you in relation to data security
  • Being wary of people who may try to trick you into giving out personal details
  • Staff can be prosecuted if they deliberately give out personal details without permission
  • The use of strong passwords
  • Being wary of emails that appear to come from your bank and that ask for your account, credit card details or your password (a bank would never ask for this information in this way)
  • Spam emails and not opening them, even to unsubscribe or ask for no more mailings