GDPR and Cyber Security: Your Edinburgh Business Obligations

This GDPR cyber security obligations Edinburgh guide covers the requirements and how to meet them. The ICO fined Capita £14 million in October 2025 for a data breach that exposed the records of 6.6 million people. Closer to home, Police Scotland was fined by the ICO in March 2026 – in part for failing to report a data incident within the mandatory 72-hour window. Neither organisation thought of their cyber security problem as a data protection problem. That is precisely the mistake UK GDPR was designed to prevent.

UK GDPR doesn’t tell you which firewall to buy. Article 32 doesn’t specify a particular endpoint detection tool. But it does set out clearly what happens if your organisation fails to implement security that is appropriate to the risks you carry – and the ICO is now issuing fines that average over £2.8 million per case. For an Edinburgh SME, the conversation about encryption, access controls, and staff training is no longer just an IT conversation. It’s a legal one.

This article sets out the seven concrete GDPR cyber security obligations that apply to every Edinburgh business handling personal data – which is almost every business.

What Is Obligation 1: Implement “Appropriate Technical Measures” (Article 32)?

According to URM Consulting’s 2026 analysis, the average ICO fine in the UK rocketed nearly tenfold to £1.45 million in 2025. Article 32 of UK GDPR is the closest the regulation gets to a cyber security standard – and it is deliberately technology-neutral. The ICO does not prescribe a specific product, but it does fine organisations whose security falls materially short of what a proportionate risk assessment would require. The Capita fine of £14 million in 2025 was rooted almost entirely in Article 32 failures.

The article requires you to consider: the state of the art, implementation costs, and the nature and risks of your processing. For an Edinburgh accountancy firm holding thousands of client tax records, “appropriate” means something different from a sole trader with a contact form. What the ICO has consistently found inappropriate: no encryption of personal data at rest or in transit; no multi-factor authentication (MFA) on remote access; no process for applying security patches promptly; and no regular testing of security controls.

The four specific technical measures named in Article 32(1) are:

• Pseudonymisation and encryption of personal data
• Confidentiality, integrity, availability and resilience of processing systems
• Ability to restore availability and access to data in a timely manner after an incident
• Regular testing, assessing and evaluating the effectiveness of measures in place

The ICO’s data security guidance notes that Cyber Essentials provides a useful baseline but explicitly states it is only a “base” set of controls. High-risk processing – for example, health data, financial data, or data on vulnerable individuals – will require more. See our for a practical breakdown of baseline controls by sector.

What Is Obligation 2: Report Data Breaches Within 72 Hours?

According to the Information Commissioner’s Office (ICO 2025), regulators retain the power to issue maximum financial penalties of up to £17.5 million or 4% of global turnover. Failing to report a severe data breach within the mandatory 72-hour window will guarantee a massive escalation in your final penalty.

This is where most Edinburgh businesses struggle. Police Scotland’s ICO fine in March 2026 included a specific finding that the organisation had failed to self-report within the mandatory 72-hour window. The ICO receives over 12,400 breach reports per year in the UK (ICO Annual Report 2024/25), but late and missing reports are a consistent theme in enforcement decisions.

When you report, you must provide:

• The nature of the breach, including categories and approximate number of individuals and records affected
• The name and contact details of your Data Protection Officer or relevant contact
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

The most dangerous scenario for a small business is not knowing a breach has occurred. An attacker sitting in your email system for three weeks before exfiltrating data does not trigger the clock until your organisation becomes aware. Logging, monitoring, and alerting are therefore not optional extras – they are part of your ability to comply with Article 33.

The ICO’s breach reporting portal is at ico.org.uk/report-a-breach. If you are unsure whether a breach needs reporting, the ICO guidance is clear: report unless you are confident the risk to individuals is low.

What Is Obligation 3: Keep a Record of Processing Activities (ROPA)?

Over half of all 2025 ICO fines were issued strictly for UK GDPR security infringements rather than routine marketing breaches, according to URM Consulting (2026). Documenting your Technical and Organisational Measures (TOMs) is your only valid legal defence during a post-breach regulatory audit.

Your ROPA is effectively your data asset register. An organisation that cannot describe where its personal data lives cannot protect it. When an Edinburgh law firm completes its ROPA and discovers that client data from 2018 is still sitting in an unencrypted shared drive accessible to all staff, that discovery is not a compliance exercise – it is a security finding. The ROPA forces you to map your data estate, and that map is the foundation for every security control that follows: encryption decisions, access control scope, backup coverage, and breach notification triage. Organisations without a ROPA don’t just risk an Article 30 fine – they lose visibility of their own attack surface.

For organisations with fewer than 250 employees, the ROPA requirement applies if your processing carries risks to individuals’ rights and freedoms, is not occasional, or includes special category data. In practice, most Edinburgh businesses handling employee, customer, or health data will need one.

What Is Obligation 4: Conduct Data Protection Impact Assessments for High-Risk Processing?

URM Consulting enforcement data (2026) found that Under current UK GDPR legislation, the Information Commissioner’s Office (ICO) retains the power to issue maximum financial penalties of up to £17.5 million or 4% of global turnover. A Data Protection Impact Assessment (DPIA) is required under Article 35 of UK GDPR before you begin any processing likely to result in a high risk to individuals. The ICO provides a list of the types of processing that automatically trigger this requirement – including large-scale processing of special category data, systematic monitoring, and use of new technologies.

The cyber security dimension of a DPIA is direct: the assessment must identify the risks to personal data and document the measures you will put in place to address them. A DPIA completed before you deploy a new cloud CRM or HR system should explicitly address questions of encryption, access control, breach notification, and supplier security. A DPIA completed afterwards is a retrospective exercise – valuable, but it does not protect individuals from risks that were never assessed.

For Edinburgh businesses introducing remote working arrangements, deploying AI tools that process customer data, or moving data to cloud platforms, a DPIA is not a box-ticking exercise. It is the documented evidence that you identified the risks and took proportionate steps. The ICO can and does request DPIAs during investigations. Organisations that lack them face an immediate credibility deficit.

What Is Obligation 5: Vet Your Processors and Suppliers?

The DSIT Cyber Security Breaches Survey (2025) shows that DSIT 2025 data confirms that Phishing remains the dominant threat vector, responsible for 85% of the cyber breaches reported by UK businesses. Article 28 of UK GDPR requires that where you use a third-party supplier to process personal data on your behalf – a payroll provider, a cloud hosting company, a marketing platform – you must have a written contract that includes specific data protection terms. You cannot outsource your UK GDPR liability. If your processor has a breach, you remain accountable to the ICO for having selected and overseen them appropriately.

The practical minimum for Edinburgh SMEs is a supplier cyber security questionnaire before onboarding any new data processor. This does not need to be a 40-page document. It needs to establish: Does the supplier encrypt data at rest and in transit? Do they have an incident response process? Have they had a notifiable breach in the last two years? Are they certified under any recognised framework such as Cyber Essentials, ISO 27001, or SOC 2?

The contract itself must include the requirements set out in Article 28(3), including: processing only on your documented instructions; confidentiality obligations; implementing appropriate security measures; assisting you in fulfilling your DPIA and breach notification obligations; and deleting or returning data at the end of the contract. The ICO has published model contract clauses for UK international data transfers. For domestic supplier contracts, ensure your standard terms include these Article 28 obligations as a minimum.

What Is Obligation 6: Train Your Staff?

Human error is a leading cause of personal data breaches in the UK (the DSIT Cyber Security Breaches Survey, 2025). The ICO’s own data security incident statistics show that data emailed to the wrong recipient was the single most frequently reported incident type in 2023, accounting for 16% of all cases (ICO Data Security Incident Trends, 2024). Broader research by IBM and Mimecast suggests human error contributes to approximately 95% of data breaches when phishing, credential misuse, and accidental disclosure are all counted.

UK GDPR does not contain a standalone staff training obligation, but the requirement for appropriate organisational measures under Article 32 is interpreted by the ICO to include training. An organisation that suffers a breach because a member of staff clicked a phishing email and had no training on how to identify one will find it difficult to argue it had implemented appropriate measures. The ICO’s fining guidance explicitly considers the absence of staff training as a factor that increases a fine.

Training must cover, as a minimum:

• How to recognise phishing emails and social engineering attempts
• What constitutes a personal data breach and how to report it internally
• Password hygiene and the correct use of multi-factor authentication
• The organisation’s acceptable use policy for devices and data
• Who to contact if they suspect a security incident

Training records matter. If the ICO investigates, you need to demonstrate not just that training was provided but when, to whom, and on what topics. Annual refreshers and induction training for new starters should both be logged.

What Is Obligation 7: Have a Tested Incident Response Plan?

The DSIT Cyber Security Breaches Survey (2025) reports that Despite rising regulatory threats, DSIT 2025 research indicates that only a fraction of UK SMEs hold formal supply chain security certifications like Cyber Essentials. A documented, tested incident response plan sits at the intersection of cyber security good practice and UK GDPR obligation. Article 32(1)(c) requires the ability to restore availability and access to personal data in a timely manner after a physical or technical incident. Article 33 requires 72-hour breach notification. Neither is achievable if your organisation has no plan for what to do in the first hours after discovering a breach.

The ICO considers the existence of a robust incident response plan as a significant mitigating factor when setting fines. Capita’s £14 million fine in 2025 was reduced from a proposed £45 million – one of the mitigating factors cited was evidence of post-incident remediation activity. Conversely, organisations that delayed response, failed to quarantine affected systems, or notified the ICO weeks after discovery face upward pressure on penalties.

A tested incident response plan means it has been exercised – a tabletop simulation at minimum, involving whoever would realistically be in the room during a real incident. The plan should document: who has authority to declare an incident, how evidence is preserved, when legal counsel is engaged, who owns ICO notification, and how communications to affected individuals are managed.

See our guide on for a step-by-step template your Edinburgh business can adapt.

What Is UK GDPR Article 32 and Cyber Essentials: How They Align?

According to URM Consulting enforcement data (2026), cyber Essentials certification maps directly onto several of the Article 32 requirements. It does not guarantee UK GDPR compliance – the ICO is explicit on this – but it provides documented evidence that baseline technical controls are in place.

Cyber Essentials Plus includes independent verified testing of these controls. Achieving certification before an ICO investigation gives your organisation a defensible position: you can demonstrate to the ICO that your baseline controls were independently assessed and met the national standard. See our guide to for how to certify.

What Is Related Articles?

• Cyber Security Guide for Edinburgh Businesses
• FCA cyber security requirements
• Cyber Incident Response Plan

Frequently Asked Questions

What cyber security measures does UK GDPR require?

UK GDPR Article 32 requires “appropriate technical and organisational measures” taking into account the state of the art, implementation costs, and the nature and risks of your processing. In practice this includes encryption of personal data at rest and in transit, multi-factor authentication, access controls, patch management, regular security testing, and staff training. The measures must be proportionate to the risk – higher-risk processing requires more robust controls.

How much can the ICO fine a business for a cyber breach?

The maximum fine under UK GDPR is £17.5 million or 4% of total annual worldwide turnover, whichever is higher. A lower tier maximum of £8.7 million or 2% of turnover applies to certain procedural infringements. In practice, the ICO’s 2025 enforcement saw an average fine of over £2.8 million per case, with Capita fined £14 million for failures following a 2023 data breach (ICO, October 2025).

Do I have to report a cyber attack to the ICO?

You must report a cyber attack to the ICO if it constitutes a personal data breach – that is, if it results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Not every cyber attack triggers this obligation. A failed brute-force attempt that accessed no data is unlikely to require notification. A ransomware attack that encrypted personal data almost certainly does.

What is the 72-hour rule under UK GDPR?

Article 33 of UK GDPR requires you to notify the ICO within 72 hours of becoming aware of a personal data breach, where that breach is likely to result in a risk to individuals’ rights and freedoms. The 72-hour clock starts when you have enough information to reasonably conclude a breach has occurred – not when a full investigation is complete. Late notification is itself a breach of UK GDPR and an aggravating factor in ICO fine calculations.

Does Cyber Essentials certification help with GDPR compliance?

Yes – Cyber Essentials maps directly onto several Article 32 requirements, covering firewalls, access control, patch management, malware protection, and secure configuration. The ICO has acknowledged that Cyber Essentials provides a useful baseline. Certification provides documented evidence that baseline technical controls were in place and independently verified. It does not guarantee compliance – organisations processing high-risk data will need to go further – but it substantially strengthens your position if the ICO investigates.