All articles

UK GDPR and Cybersecurity: What Boards Need to Know in 2026

UK GDPR places explicit obligations on organisations to implement 'appropriate technical and organisational measures' — which the ICO now interprets as including mature cybersecurity controls. Here's what that means for your board.

The Regulatory Backdrop

Since the UK’s departure from the EU, the UK GDPR (retained and amended through the Data Protection Act 2018) has diverged slightly from its European counterpart — but the core security obligations remain robust and actively enforced.

The Information Commissioner’s Office (ICO) has made clear that data protection and cybersecurity are inseparable. In 2024 and 2025, several high-profile enforcement actions explicitly cited inadequate cybersecurity controls as a violation of Article 5(1)(f) — the integrity and confidentiality principle.

What “Appropriate Technical Measures” Actually Means

Article 32 of UK GDPR requires organisations to implement measures appropriate to the risk, including:

  • Pseudonymisation and encryption of personal data
  • Ongoing confidentiality, integrity, availability, and resilience of systems
  • Ability to restore access to personal data in a timely manner after an incident
  • Regular testing and evaluation of security measures

The ICO’s guidance and enforcement decisions make it clear that “regular testing” means documented penetration testing and vulnerability assessments — not just annual checkbox exercises.

Board-Level Accountability

The UK GDPR places accountability squarely on senior leadership. The ICO expects:

  • A Data Protection Officer (where required) with genuine authority and resource
  • A documented Records of Processing Activities (RoPA)
  • Regular Data Protection Impact Assessments (DPIAs) for high-risk processing
  • A tested incident response and breach notification procedure — breaches must be reported to the ICO within 72 hours

Maximum fines are the higher of £17.5 million or 4% of global annual turnover. The ICO also issues public reprimands that carry significant reputational consequence even when no financial penalty is issued.

FCA Overlaps: DORA and SYSC

For FCA-regulated firms, cyber obligations compound. The EU’s Digital Operational Resilience Act (DORA) — whilst technically an EU regulation — is influencing FCA expectations for UK firms operating in European markets or with EU counterparts.

FCA’s SYSC sourcebook already requires regulated firms to maintain adequate organisational and technical measures to manage ICT and operational risk. In practice, this means:

  • ICT risk management frameworks with board-approved policies
  • Third-party risk management — including cybersecurity due diligence on all technology vendors
  • Incident classification and reporting to the FCA for material operational disruptions

The Rhentech Approach

Our UK GDPR compliance advisory service provides:

  1. Article 32 audit — assessing your current technical and organisational measures against ICO expectations
  2. RoPA review — ensuring your data map is accurate and security controls are documented per asset
  3. DPIA support — for new technologies, AI tools, and processing activities
  4. Incident response planning — so your 72-hour notification capability is tested, not assumed

We work with your legal team, not around them. Cybersecurity and data protection are two sides of the same coin — and we help boards understand both.

This article is for informational purposes. It does not constitute legal advice. Always consult qualified legal counsel for regulatory compliance matters specific to your organisation.

Back to all articles

Ready to act on what you've read?

Book a free cybersecurity audit and get a clear view of your risk — with a practical roadmap to address it.

Book a Free Audit