← Back to Blog
GDPR & Compliance · May 2026 · 6 min read

GDPR Article 32: What 'Appropriate Security Measures' Actually Means for UK Small Businesses

Article 32 of the UK GDPR requires businesses to implement 'appropriate technical measures' to protect personal data. But what does that actually mean in practice for a small business without an IT department?

The GDPR security obligation most businesses overlook

Most small businesses know about GDPR. They've updated their privacy policies, added cookie banners to their websites, and made sure they have a process for handling data subject requests. But there's a part of GDPR that often gets less attention — and that the ICO increasingly focuses on when things go wrong.

Article 32 of the UK GDPR requires businesses that process personal data to implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. It's deliberately vague — and that vagueness is often used as a reason not to engage with it seriously.

That's a mistake. When the ICO investigates a data breach, Article 32 compliance is one of the first things they look at.

What Article 32 actually says

Article 32 requires controllers and processors to implement measures that ensure "a level of security appropriate to the risk." It specifically mentions:

  • Pseudonymisation and encryption of personal data
  • The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems
  • The ability to restore availability and access to personal data in a timely manner in the event of an incident
  • A process for regularly testing and evaluating the effectiveness of security measures

What it doesn't do is specify exactly what those measures need to be. That's where the guidance comes in.

What the ICO expects

The Information Commissioner's Office consistently points to the Cyber Essentials framework as a good baseline for Article 32 compliance. In its guidance, the ICO states that implementing Cyber Essentials controls "will help you demonstrate that you have taken appropriate technical measures."

This means the five Cyber Essentials control areas — firewalls, secure configuration, access control, malware protection, and patch management — are effectively the ICO's practical definition of "appropriate technical measures" for most small businesses.

Implementing these controls, and being able to document that you have done so, is the most straightforward path to Article 32 compliance for a small business.

What happens when things go wrong

When a data breach occurs and the ICO investigates, they will ask what security measures you had in place. If you can demonstrate that you had implemented appropriate controls — even if they weren't perfect — the ICO is likely to take a more lenient view.

If you cannot demonstrate any structured approach to security, the consequences can be significant. ICO fines for small businesses have ranged from a few thousand pounds to tens of thousands, depending on the severity of the breach and the adequacy of the measures in place.

Documentation matters as much as implementation. It's not enough to have controls in place — you need to be able to show that you assessed your security position and took reasonable steps to address the risks you identified.

The organisational measures side

Article 32 covers both technical and organisational measures. On the organisational side, the ICO expects businesses to have:

  • A basic security policy covering how personal data should be handled
  • Staff awareness of their responsibilities around data security
  • A process for reporting and responding to security incidents
  • Regular review of security measures

Evidencing compliance

The most practical way to evidence Article 32 compliance is through a documented security assessment. A structured self-assessment against the Cyber Essentials framework — covering all five control areas, identifying gaps, and setting out remediation actions — is exactly the kind of documentation the ICO expects to see.

Our assessment tool produces a professional PDF report that documents your current security posture across all five Cyber Essentials areas. It takes 10 minutes, requires no technical knowledge, and produces a report you can use as evidence of your Article 32 due diligence.

For any business that holds customer records, employee data, or payment information, this kind of documented assessment is no longer optional — it's the minimum standard the ICO expects.

Find out where your business stands

Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials — suitable for insurance applications and client due diligence.

Start Your Free Assessment →

£49 for the full report · No account required

More from CyberReport UK

Cyber Insurance
Do UK Small Businesses Need Cyber Essentials? What Insurers Are Actually Asking For in 2026
Cyber insurers are asking harder questions than ever. Here's what they actually want to know — and how a small business owner can prepare without hiring an IT consultant.
Cyber Insurance
What Do Cyber Insurers Actually Check? A UK Small Business Guide
Cyber insurance applications have become significantly more detailed. Here's exactly what UK insurers are looking for in 2026 — and how to make sure you can answer confidently.