GDPR Article 32
Article 32 of the General Data Protection Regulation, which requires controllers and processors to implement appropriate technical and organisational security measures.
Last refreshed: 20 May 2026 · Appears in 1 active topic
After South Staffordshire Water, which UK water utility faces an ICO Article 32 investigation next?
Timeline for GDPR Article 32
ICO fines South Staffs Water £963,900
Cybersecurity: Threats and Defences- What does GDPR Article 32 require organisations to do?
- Article 32 requires data controllers and processors to implement appropriate technical and organisational security measures proportionate to the risk, including pseudonymisation, encryption, ongoing confidentiality, and regular testing of controls.
- Why was South Staffordshire Water fined under GDPR Article 32?
- The ICO found South Staffordshire Water had only 5 per cent of its IT estate under monitoring, lacked Privileged Access Management, and had no segmentation between corporate IT and operational technology, all failures against the Article 32 proportionality requirement for critical national infrastructure.Source: ICO
- Does GDPR Article 32 apply to UK companies after Brexit?
- Yes. The UK GDPR, retained under the Data Protection Act 2018, carries an equivalent Article 32 obligation enforced by the ICO with maximum fines of £17.5m or 4% of global annual turnover.
- What is the maximum fine under GDPR Article 32?
- Under UK GDPR, up to £17.5m or 4% of global annual turnover. Under EU GDPR, up to €20m or 4% of global annual turnover. Fines are discretionary and proportionate; the South Staffordshire Water fine of £963,900 included a 40% reduction for early admission.
Background
GDPR Article 32 is the security-of-processing provision of the General Data Protection Regulation, requiring data controllers and processors to implement "appropriate technical and organisational measures" to protect personal data against accidental or unlawful destruction, loss, alteration, or disclosure. The article does not specify exact controls; it requires organisations to assess risk and respond proportionately, making it the principal legal lever for data-breach enforcement across the UK and EU.
Article 32 has become the instrument of choice for UK and EU data-protection authorities prosecuting cyber incidents at critical national infrastructure operators. The Information Commissioner's Office applied Article 32 (via the UK GDPR, adopted into domestic law) in its £963,900 fine against South Staffordshire Plc and South Staffordshire Water Plc on 12 May 2026 for a 2022 ransomware intrusion that ran undetected for 20 months. The ICO found monitoring coverage of only 5 per cent of the IT estate, absent Privileged Access Management, and no segmentation between corporate IT and operational technology as failures against the proportionality requirement. A 40 per cent reduction for early admission brought the penalty to £963,900 across 633,887 affected individuals. The South Staffordshire case follows the Capita template established in 2023, which the ICO explicitly cited as precedent for CNI sector enforcement.
The enforcement reach of Article 32 is now demonstrably extending to water-sector CNI before the UK's Cyber Security and Resilience Bill (currently at Commons Report Stage from 2 March 2026) reaches Royal Assent. In practice, NCSC technical guidance on monitoring coverage and network segmentation now carries enforceable weight via the ICO's Article 32 interpretation, setting a de facto baseline the water sector must meet today.