ICO enforcement action against UK organisations rose sharply in 2024 and 2025, with fines totalling over £12 million across the two years for failures in technical security measures. The pattern in ICO enforcement notices is consistent: organisations that suffered a breach and could not demonstrate that they had implemented appropriate technical controls faced the harshest outcomes. For developers, this is a direct professional concern. The decisions you make about encryption, logging, access control, and data retention are the technical controls that determine whether an organisation can defend itself before the ICO.

This guide is written for developers and engineering teams, not legal or compliance departments. It translates UK GDPR’s requirements into concrete technical decisions: what to implement, how to implement it, and why each measure exists.

TL;DR

  • UK GDPR Article 32 requires “appropriate technical measures” proportionate to the risk. For most applications handling personal data this means encryption at rest and in transit, pseudonymisation where feasible, access controls, and documented breach detection capability.
  • The most common developer mistakes that create GDPR exposure: logging PII in debug output, soft-deleting records that should be hard-deleted for right to erasure, and failing to implement DPAs with every third-party service that touches personal data.
  • Data minimisation is a design decision made at the field level. If you do not have a documented reason to collect a field and store it, do not collect it.
  • Right to erasure requires actual deletion, cascading through all systems including backups and third-party processors. Soft deletes do not satisfy the obligation.

UK GDPR vs EU GDPR: What Changes for Developers

Post-Brexit, the UK retained the EU GDPR framework as “UK GDPR” through the European Union (Withdrawal) Act 2018. For developers, the technical requirements are identical. The differences are administrative: the supervisory authority in the UK is the Information Commissioner’s Office (ICO), not an EU national data protection authority, and cross-border transfers between the UK and EU are governed by the UK adequacy decision (currently maintained by the EU, though this is periodically reviewed).

The practical implication is that if you build software compliant with EU GDPR’s technical requirements, it satisfies UK GDPR’s technical requirements. The reverse is also true. Where you will encounter divergence is in notification procedures, transfer mechanisms, and the ICO’s specific enforcement guidance, which sometimes differs in emphasis from EDPB guidance.

Article 32: What It Actually Requires

Article 32 of UK GDPR requires controllers and processors to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk, taking into account state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

That language is deliberately flexible. What it translates to in practice depends on your risk profile, but Article 32(1) gives four specific examples:

  1. Pseudonymisation and encryption of personal data
  2. Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  3. Ability to restore availability and access to data in a timely manner following an incident
  4. A process for regularly testing, assessing, and evaluating the effectiveness of security measures

“State of the art” does not mean you must implement the most expensive or bleeding-edge solution. It means you cannot justify using a weak approach (like MD5 for password hashing) when clearly better approaches (like Argon2) are well-established, widely available, and not materially more expensive to implement.

Encryption at Rest

Passwords. Never store passwords in plaintext, and never use MD5 or SHA-1 for password hashing. Both are entirely unsuitable. Use bcrypt with a work factor of at least 12, or Argon2id with parameters tuned to take at least 100ms on your server hardware. Argon2id is the current recommendation from OWASP and is preferable for new implementations.

1# Argon2id with libsodium (Node.js example)
2const hash = await argon2.hash(password, {
3  type: argon2.argon2id,
4  memoryCost: 65536,   // 64 MB
5  timeCost: 3,
6  parallelism: 1
7});

Database encryption. Enable encryption at rest at the database level. All major databases and managed services (PostgreSQL, MySQL, MongoDB Atlas, AWS RDS, Azure SQL) support this. Transparent data encryption (TDE) protects data on disk, but it does not protect against a compromised database user with query access. For highly sensitive fields (National Insurance numbers, medical records, financial account numbers), consider application-level field encryption using AES-256-GCM with a key management service (AWS KMS, Azure Key Vault, HashiCorp Vault). The key must be stored separately from the data it encrypts.

Key management. Do not hardcode encryption keys in application code or store them in the same database as the data they protect. Use environment variables for development, and a managed key management service for production. Rotate keys periodically and ensure your application can handle key rotation without downtime.

What not to do. Do not store plaintext personal data in log files, temporary files, or application caches where encryption may not apply. Check every code path that handles personal data and ensure it does not inadvertently persist unencrypted copies.

Encryption in Transit

TLS configuration. Enforce TLS 1.2 as the minimum, with TLS 1.3 as the default where supported. Disable SSLv3, TLS 1.0, and TLS 1.1 entirely. On nginx:

1ssl_protocols TLSv1.2 TLSv1.3;
2ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
3ssl_prefer_server_ciphers off;

HSTS. Set the Strict-Transport-Security header with a long max-age value and includeSubDomains. A max-age of at least 31536000 (one year) is the standard. Submit to the HSTS preload list if your deployment allows it.

1Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Mixed content. Serving any resource (images, scripts, stylesheets, API calls) over HTTP from an HTTPS page creates a mixed content vulnerability and undermines transport security. Configure your Content Security Policy to block mixed content and audit your page for any non-HTTPS resource loads.

Internal services. Encryption in transit applies to internal service-to-service communication as well as user-facing traffic. Database connections, message queue connections, and microservice calls should all use TLS. Many developers correctly encrypt the user-facing layer and overlook the internal network.

Data Minimisation in Code

Data minimisation is not a legal abstraction. It is a design decision made field by field. Before collecting any piece of personal data, ask: does the application actually need this to function? If you cannot answer that question with a specific use case, do not collect it.

In practice this means:

  • Remove form fields that are optional and whose purpose is vague (“date of birth” on a newsletter signup where you have no age-gating requirement)
  • Audit your database schema regularly and drop columns that contain personal data with no active use
  • Set retention periods at the schema level where possible, using scheduled jobs to purge expired records automatically
  • Avoid collecting high-sensitivity personal data (health information, financial detail, political views) unless your application genuinely requires it, because Article 32 risk assessment scales with the sensitivity of data processed

The ICO’s accountability principle requires you to be able to demonstrate that you considered data minimisation. Documented design decisions in your architecture or sprint notes satisfy this. Undocumented decisions do not.

Pseudonymisation

Pseudonymisation replaces directly identifying information with a token or identifier that cannot identify the individual without access to a separately held key or mapping table. Article 32 explicitly lists it as a recommended technical measure, and Article 89 provides reduced obligations for processing pseudonymised data for research purposes.

For analytics and behaviour tracking, a common pattern is to hash user identifiers with a site-specific salt using SHA-256 before passing them to your analytics system:

1import hmac, hashlib
2
3def pseudonymise(user_id: str, site_secret: str) -> str:
4    return hmac.new(
5        site_secret.encode(),
6        user_id.encode(),
7        hashlib.sha256
8    ).hexdigest()

The salt must be stored separately from the analytics data. Without it, the hash cannot be reversed to identify the individual. This means your analytics system holds pseudonymised identifiers only, reducing the risk profile of a breach of that system.

Pseudonymisation is not anonymisation. If you hold the mapping key, the ICO treats the pseudonymised data as personal data. Full anonymisation, where re-identification is not possible even with additional information reasonably likely to be available, removes the data from GDPR scope entirely. Achieving genuine anonymisation is difficult in practice; most implementations produce pseudonymised data, which still falls under GDPR but with reduced risk.

Right to Erasure: Implementing It Properly

Right to erasure (Article 17) is one of the most technically demanding GDPR obligations to implement correctly. The requirements are specific:

Hard delete, not soft delete. Setting an is_deleted flag and filtering it out of queries does not satisfy the right to erasure. The data must be actually removed from the database. Build hard delete functionality for every entity that holds personal data.

Cascading deletes. Deleting the user record is not enough if personal data is also held in related tables (orders, addresses, activity logs, preferences, uploaded files). Map every table that contains personal data linked to a user identifier and ensure deletion cascades correctly, or implement an explicit deletion job that removes all associated data atomically.

Third-party processors. If you have sent personal data to a third-party service (email marketing platform, CRM, analytics tool, payment processor), your erasure obligation extends to instructing that processor to delete the data as well. This requires:

  • A documented inventory of every third-party service that receives personal data
  • A confirmed deletion mechanism for each (API call, support ticket, automated data subject request handling)
  • Evidence that the deletion was completed

Backups. Backups are the most commonly overlooked erasure problem. If you take daily database backups with a 90-day retention period, a deletion request satisfied in the live database will not be satisfied in the backups until they age out. The ICO’s position is that backups restored after erasure must not reintroduce the deleted personal data. Practical approaches include: excluding deleted records from backup exports where feasible, implementing backup-specific purge processes, or using field-level encryption and deleting the key (making the data unreadable, which approaches the standard of erasure).

Exemptions. Right to erasure is not absolute. You can retain data necessary for legal claims, statutory compliance (for example, financial records under the Companies Act), or public interest purposes. Document the exemption and communicate it to the data subject when you decline or partially fulfil an erasure request.

Breach Detection and the 72-Hour Notification Requirement

UK GDPR Article 33 requires that you notify the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in risk to individuals. This is not 72 hours from when the breach occurred. It is 72 hours from when you became aware. The distinction creates a direct incentive to build breach detection capability, because the clock starts ticking when you find it.

What to log for breach detection. Your logging architecture should capture:

  • Authentication events: successful and failed logins, MFA challenges, password resets
  • Authorisation failures: requests that were denied due to permission checks
  • Data access: who accessed what personal data and when, especially bulk exports or unusual query volumes
  • Configuration changes: changes to user permissions, encryption keys, or data retention settings
  • Anomalous patterns: access from unusual IP addresses or at unusual times, high-volume reads of personal data tables

What not to log. Do not log personal data values in your application logs. Debug logs that record full request bodies, database queries with parameter values substituted in, or user-entered form data create secondary personal data stores that are difficult to manage and are themselves in scope for GDPR. Log identifiers (user IDs, session IDs, request IDs) rather than values.

1# Wrong: logs the actual email address
2logger.debug(f"Login attempt for user {request.form['email']}")
3
4# Right: logs an identifier only
5logger.debug(f"Login attempt, user_id={user.id}, request_id={request_id}")

Breach response planning. Logging enables detection, but you need a documented process for what happens when you detect a breach. Who is notified internally? Who makes the ICO notification decision? What information does the ICO notification need to contain? Build this process before you need it.

Third-Party API Compliance

Controller vs processor. If you are using a third-party service that processes personal data on your behalf (a transactional email provider, a cloud infrastructure provider, a payment processor), they are a data processor and you are the controller. You are responsible for their compliance with UK GDPR in that context.

Data Processing Agreements. You must have a written Data Processing Agreement (DPA) in place with every third-party service that processes personal data on your behalf. Most major SaaS providers (AWS, Mailchimp, Stripe, Twilio, SendGrid) offer standard DPAs. Sign and retain them. If a provider cannot produce a DPA, you cannot legally use them to process personal data under UK GDPR.

Sub-processors. Your DPA with a processor should list their sub-processors (the services they in turn use to process your data). For example, your transactional email provider may use AWS infrastructure. You are not required to have a direct DPA with sub-processors, but you need to be aware of who they are and where data is being processed geographically for transfer compliance purposes.

Transfer mechanisms. If a third-party service processes data outside the UK or EU, you need a legal transfer mechanism in place. For transfers from the UK, this is currently UK-specific mechanisms (UK International Data Transfer Agreements, or reliance on UK adequacy decisions where available). Check each service’s data residency options and transfer documentation.

Access Control

Principle of least privilege. Database users used by your application should have the minimum permissions required: read and write to specific tables, not administrative access. Create separate database credentials for read-heavy services (reporting, analytics) and write-heavy services (user-facing application). This limits the blast radius of a compromised credential.

Role-based access control. Implement RBAC in your application and review role assignments regularly. Roles tend to accumulate permissions over time; a periodic audit against what each role actually needs catches privilege creep.

Audit logs for data access. For sensitive data, implement audit logging at the application layer that records which authenticated user accessed which personal data record and when. This is separate from your application error logs and should be tamper-resistant (write-once or append-only, with access restricted from application code).

Developer Checklist: 10 Technical Controls to Implement

  1. Password hashing. Use bcrypt (cost factor 12+) or Argon2id. Remove any MD5 or SHA-1 password hashing immediately.
  2. Encryption at rest. Enable database-level TDE and implement field-level AES-256-GCM encryption for high-sensitivity personal data with keys held in a managed KMS.
  3. TLS configuration. Enforce TLS 1.2 minimum, TLS 1.3 default, HSTS with one-year max-age, no mixed content.
  4. Data minimisation audit. Review every field in your database schema that holds personal data. Remove or stop collecting any field without a documented, active use case.
  5. Hard delete implementation. Build verified cascade deletion for all personal data linked to a user. Test that deletion actually removes records and does not merely flag them.
  6. Third-party DPA inventory. List every SaaS or cloud service that receives personal data. Confirm a signed DPA exists for each. Remove any service that cannot provide one.
  7. Logging hygiene. Audit your application logs for PII. Remove personal data values from log output at every log level. Log identifiers only.
  8. Breach detection logging. Implement structured logging for authentication events, authorisation failures, and bulk data access. Set up alerting for anomalous patterns.
  9. Access control review. Audit database credentials and application roles against the principle of least privilege. Remove administrative access from application database users.
  10. Pseudonymisation for analytics. Replace direct user identifiers in analytics and third-party tracking calls with HMAC-hashed values using a site-specific secret.

Key Takeaways

  • UK GDPR’s technical requirements are identical to EU GDPR’s. Post-Brexit, the ICO enforces them and you need to follow ICO-specific guidance for notifications and transfers.
  • Article 32 requires appropriate technical measures proportionate to your risk. For most applications, this means strong encryption, access controls, pseudonymisation, and documented breach detection.
  • Data minimisation is a field-level decision made by developers, not a legal abstraction. If you cannot justify collecting a field, do not collect it.
  • Right to erasure requires actual deletion cascading through all systems including backups and third-party processors. A soft delete flag does not satisfy the obligation.
  • Do not log personal data values. Log identifiers. Your log files are themselves a personal data store and one of the most commonly overlooked breach vectors.
  • Have a signed DPA with every third-party service that touches personal data. If a provider cannot produce one, you cannot legally use them for that purpose.

Frequently Asked Questions (FAQ)

Does UK GDPR apply if all my users are outside the UK? UK GDPR applies if you are established in the UK, regardless of where your users are. It also applies to organisations outside the UK that offer goods or services to people in the UK or monitor the behaviour of people in the UK. If you are a UK-based developer building for a non-UK audience, UK GDPR applies to your processing activities.

Is encryption mandatory under UK GDPR? Encryption is explicitly listed in Article 32(1)(a) as a recommended measure. It is not an absolute mandatory requirement, because the regulation requires measures “appropriate to the risk.” In practice, for any application handling personal data over the internet, failing to encrypt data in transit and at rest would be very difficult to justify to the ICO. Treat it as required.

What counts as a personal data breach requiring ICO notification? A personal data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes a misconfigured S3 bucket that exposed records publicly, a phishing attack that gave an attacker access to your email account containing customer data, and accidental deletion of records without backup. Not all breaches require ICO notification: only those likely to result in risk to individuals. High-risk breaches also require notification to affected individuals directly.

How long do we need to retain personal data? UK GDPR does not specify retention periods. You must retain data only as long as necessary for the purpose for which it was collected. Define retention periods for each category of data you hold, document them in your privacy notice, and implement automated purging. Financial records are typically retained for six years under the Companies Act. Marketing consent records should be kept until consent is withdrawn or expires.

Do we need a Data Protection Officer? A DPO is mandatory for public authorities, organisations that process sensitive personal data at large scale, and organisations that carry out large-scale systematic monitoring. For most UK software companies, a DPO is not mandatory but is advisable if you process significant volumes of personal data. The ICO provides guidance on this threshold on their website.

What is the maximum fine for UK GDPR non-compliance? The ICO can issue fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious infringements. Lower-tier fines of up to £8.7 million or 2% of global turnover apply to less serious breaches. In practice, most ICO fines are significantly below the maximum and are calibrated to the severity of the breach, the organisation’s cooperation, and the steps taken to remedy the issue.