GDPR Article 32
Article 32 of the General Data Protection Regulation, which requires controllers and processors to implement appropriate technical and organisational security measures.
Last refreshed: 20 May 2026 · Appears in 1 active topic
After South Staffordshire Water, which UK water utility faces an ICO Article 32 investigation next?
Timeline for GDPR Article 32
ICO fines South Staffs Water £963,900
Cybersecurity: Threats and DefencesWhat does GDPR Article 32 require organisations to do?
Why was South Staffordshire Water fined under GDPR Article 32?
Does GDPR Article 32 apply to UK companies after Brexit?
Background
GDPR Article 32 is the security-of-processing provision of the General Data Protection Regulation, requiring data controllers and processors to implement "appropriate technical and organisational measures" to protect personal data against accidental or unlawful destruction, loss, alteration, or disclosure. The article does not specify exact controls; it requires organisations to assess risk and respond proportionately, making it the principal legal lever for data-breach enforcement across the UK and EU.
Article 32 has become the instrument of choice for UK and EU data-protection authorities prosecuting cyber incidents at critical national infrastructure operators. The Information Commissioner's Office applied Article 32 (via the UK GDPR, adopted into domestic law) in its £963,900 fine against South Staffordshire Plc and South Staffordshire Water Plc on 12 May 2026 for a 2022 ransomware intrusion that ran undetected for 20 months. The ICO found monitoring coverage of only 5 per cent of the IT estate, absent Privileged Access Management, and no segmentation between corporate IT and operational technology as failures against the proportionality requirement. A 40 per cent reduction for early admission brought the penalty to £963,900 across 633,887 affected individuals. The South Staffordshire case follows the Capita template established in 2023, which the ICO explicitly cited as precedent for CNI sector enforcement.
The enforcement reach of Article 32 is now demonstrably extending to water-sector CNI before the UK's Cyber Security and Resilience Bill (currently at Commons Report Stage from 2 March 2026) reaches Royal Assent. In practice, NCSC technical guidance on monitoring coverage and network segmentation now carries enforceable weight via the ICO's Article 32 interpretation, setting a de facto baseline the water sector must meet today.