Our cyber team have reflected on some of the detail that sits behind the ICO's approach to determining what is meant by "appropriate" security and the risks of straying into a strict liability regime.

UK GDPR security requirements

The foundation for the ICO's enforcement of data security is established by Article 32 of the UK GDPR which requires data controllers and processors to implement 'appropriate' technical and organisational measures to ensure a level of security 'appropriate' to the risk. As a principle-based, rather than prescriptive, piece of legislation, this leaves a potentially significant amount of uncertainty for an organisation when it comes to determining whether or not it is meeting the security requirements of the UK GDPR.

Moreover, the UK GDPR's requirements acknowledge that there is no single technical and organisational measure that will meet the standard. Appropriate measures will depend on the state of the art of technology, the costs of implementation and the nature, scope, context of the personal data being processed. As costs are a considered factor, the measures that require the resources of a multi-national financial institution are unlikely to be required of a small charity.

The good news for organisations should be that the security requirements of UK GDPR are not absolute nor create a strict liability regime. It should be possible to suffer a cyber attack, for example, at the hands of a determined and well-resourced cyber-criminal despite having taken appropriate measures for the type of victim organisation without breaching the UK GDPR. Proceeds from ransomware activities exceed a billion dollars and criminal groups are staffed with highly proficient individuals targeting victims on a full time basis. For some organisations, it is not a fair fight.

The difficulty is, however, identifying the level of appropriateness (and therefore expenditure of time, cost and resource) that will satisfy the ICO in the event of a cyber attack. The ICO draws from the UK GDPR in its own guidance, noting that "what's appropriate for you will depend on your own circumstances, the processing you're doing, and the risks it presents to your organisation". No organisation has limitless funding and resources.

ICO / NCSC Guidance

The ICO's approach to the security requirements of UK GDPR is to take an outcome based approach:

Manage your security risk:

• Governance
• Risk management
• Asset management
• Processors and the supply chain

Protect personal data against cyber attack

• Service protection policies and processes
• Identity and access control
• Data security
• System security
• Staff awareness and training

Detect security events

• Security monitoring

Minimise the impact

• Response and recovery planning
• Improvements

These four outcomes are identical to those featured in the NCSC Cyber Assessment Framework (CAF) and while the ICO does not refer to the CAF as being incorporated by the ICO, the ICO note that they worked with the CAF in developing the ICO's approach.

Interestingly, the NCSC stated that 'it is intended that the CAF collection will be of particular interest to cyber oversight bodies, organisations (such as cyber regulators) that have responsibility for cyber security and resilience of a section'.

One would note that the ICO's own website records that the CAF was designed primarily for operators of critical national infrastructure yet no sector based differentiation is publicly acknowledged by the ICO in its own guidance. It may be that the ICO does adapt its sector based approach in applying the CAF 'behind the scenes', given that the NCSC's guidance on the CAF does provide for sector based nuances.

Outcomes based assessment

An organisation would do well, therefore, to use the CAF (or the ICO's equivalent) to assess its own security posture. The NCSC highlights that each outcome can be broken down into Indicators of Good Practice (IGPs). In practice, these are two lists of (i) indicators of achievement; and, (ii) indicators of non-achievement (see NCSC example). Where an organisation meets all positive IGPs, it will be rated as 'green'. Where it shows one or more negative IGP, the organisation will be rated as 'red'. If the organisation is in the middle, then the outcome will be rated as 'amber'.

It is reasonable to observe that it would be difficult for the average organisation to be rated green across the board. An organisation would necessarily need to 'get everything right'. Conversely, it would be easy for an organisation to receive a red rating, needing only a single negative factor to be present.

This approach can be hugely helpful for organisations wanting to assess their cyber security posture, focussing on measures to be improved rather than those that they are already achieving.

When it comes to enforcement, however, one can see how the use of the red, amber, green rating might result in a challenging standard. We do not know if and how the ICO utilises these ratings, or how they apply to the ICO's existing enforcement guidelines but would observe that if it was used in enforcement then the same outcome may be present: it is intrinsically harder to achieve a 'green' status than red and/or amber.

ICO enforcement

When it comes to enforcement, fines have been relatively few compared to the number of breaches reported to the ICO. This would appear to be due to the limited resources of the ICO, rather than the severity of the particular UK GDPR breach. Indeed, in our experience, the ICO will not determine that a victim organisation has met the security requirements of the UK GDPR, only that the ICO determines that it will not proceed with regulatory action.

Of those incidents that look likely to progress to enforcement, if a CAF approach is used, one would expect an outcome that almost certainly included red or amber assessments with very few organisations achieving green across the board. Such is the structure and approach of the CAF.

The danger here is the possibility of strict liability by the back door, in that one negative IGP would trigger a red rating irrespective of wider security behaviours. Again, we emphasise that it is not known if this approach is taken by the ICO.

Enforcement in practice

That being said, the ICO have indicated certain stricter approaches to enforcement.

The ICO Deputy Commissioner, Stephen Bonner, has stated that "While there is no single solution to prevent cyber attacks, there is absolutely no excuse for not having the foundational controls in place". He was also reported by Infosecurity magazine as saying that "there is no longer any excuse for not deploying MFA across all external connections."

The 'no excuse' language might be perceived as a strict-liability regime, with comparisons made to the CAF as a negative IGP that triggers an instance 'red' rating.

Other singular technical measures failings have also been highlighted by the ICO as the basis for enforcement.

The ICO's enforcement action against British Airways plc (BA) resulted in a fine of £20m (originally proposed at £183m) as a result of a data breach that occurred in 2018 and affected 429,612 individuals.

The ICO did not provide any sympathy for an argument that BA were targeted by a sophisticated attacker. For instance, the Commissioner highlighted that "sophisticated cyber attacks on global businesses are commonplace. The Attack in this case was not of such a degree of sophistication as to negate BA's responsibilities for securing its system and the personal data processed within it".

Importantly, in taking this enforcement action, the ICO relied upon a range of external sources for guidance such as the NCSC supply chain guidance, NIST principles, OWASP guidance and white papers by technology companies such as Citrix. Once the ICO had found its failure, it pointed to a wide variety of sources that BA could and should have been aware of.

One might observe that, similar to the CAF, the balance is stacked against the organisation: it will be extremely difficult for an organisation to be apprised of all available guidance which the ICO has with the benefit of hindsight yet incredibly easy for an organisation to miss a single publication at the time.

MITRE CVE

In April 2025, the U.S. Department of Homeland Security announced it would not be extending the contract for the 'Common Vulnerabilities and Exposures' (CVE) database run by not-for-profit organisation, MITRE.

CVEs are commonly used by the ICO in enforcement action, as a basis for the organisation's implied knowledge of a security shortcoming that ought to have been fixed.

The immediate concern following the Department's announcement was that the CVE database had been relied upon globally for 25 years to identify and mitigate known security vulnerabilities. Fortunately, a last minute scramble by the U.S. Cybersecurity and Infrastructure Security Agency led to funding for the CVE program being renewed for a further 11 months.

Due to the heavy usage of CVEs in ICO enforcement, one wonders how the ICO might approach enforcement in the future if the temporary reprieve is not extended beyond this time.

Summary

The ICO has been left with the difficult challenge of operationalising the broad security requirements of the UK GDPR. The CAF provides some insight as to how the ICO approaches this task.