Knowledge Hub
for Growth

How to run a cyber security risk assessment

Businesses that are subject to GDPR can only process personal data if they do so securely. This means they need to have appropriate measures in place to protect data from unauthorised processing or accidental loss. This ‘security principle’ is fundamental to proper GDPR compliance, and its importance is strengthened further by the ‘accountability principle’, obliging businesses to be able to clearly show the processes they have in place to process data securely.

An effective way to meet these twin security and accountability requirements is to perform regular cyber security risk assessments designed to:

  • Identify any shortcomings in your data processing activities that could lead to a cyber-attack.
  • Precisely establish what information and technological systems you use and their vulnerability to attack.
  • Swiftly implement procedures to deal with these data security weaknesses.

Here we look at cyber security risk assessments, asking why your business needs to perform them, what’s involved, and how to respond to the results of the risk assessment.

What is a cyber security risk assessment?

If cyber security means reducing the risk of attack and protecting your internal networks then a cyber security risk assessment is the way you examine the cyber security measures your organisation has in place and assess how you can improve them.

Without carrying out these risk assessments at regular intervals you will be unaware of new threats to your data security. You could also miss opportunities to remove unnecessary, expensive cyber controls that are disproportionate to the risks you face. With this in mind it’s clear that cyber security risk assessments are a vital part of any organisation’s data protection and privacy law endeavours.

Why conduct a cyber risk assessment?

Often businesses have no choice but to perform cyber risk assessments. Article 35 of the GDPR states:

 'Where a type of processing in particular using new technologies…is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall…carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.'

But in the context of a commercial world largely driven by data, many of our clients carry out cyber risk assessments even where there is no legal obligation to do so. That’s because most businesses are susceptible to a cyber attack to some degree. And the fallout from an attack that results in a data breach can have significant repercussions: your business may face punitive ICO fines and it may lose significant consumer trust.

How to perform a cyber risk assessment

Article 35 of the GDPR indicates that cyber risk assessments should be carried out ahead of processing high-risk personal data. For most businesses this means assessments need to be carried out regularly with any key takeaways and lessons learned implemented as soon as possible.

Any comprehensive cyber risk assessment should involve the following:

Setting goals for the assessment

It’s important to set limits for the risk assessment so that it doesn’t become too unwieldy and time consuming. Before you start, ensure that everyone involved is clear about the purpose of the assessment and its scope. At this stage any potential hurdles to carrying out the assessment should be identified. For example, is senior management on board with the decision to perform the assessment?

Identifying all assets

You won’t be able to quantify the level of threat to your data and information systems without a clear picture of what you actually have in terms of data, systems, and hardware. So any assessment should start with a detailed data protection audit, establishing how you collect and store data, identifying the categories of data you hold and specifying the purposes you hold the data for. You should then make an inventory of the information assets you hold, chiefly your IT systems and computer hardware and make an assessment of which of these assets are vulnerable to cyber attack.

Determining the value of the data you hold

By attaching a value to the data your organisation controls you are better able to establish the level of risk associated with losing that data. Valuing the data also lets you weigh up the cost to your business of losing the data (or of it becoming the subject of a breach) against the outlay involved in implementing data systems to eradicate these risks.

While it’s often difficult to put a precise value on data you should consider for example:

  • What would a competitor pay for the data?
  • Would a breach cause expensive disruption to the business?
  • What would the ICO be likely to fine your business if you were to lose the data?
  • Would your business suffer damaging publicity if the data were lost?

Identifying potential threats and areas where you could be vulnerable

Recognising potential threats to your data storage and management systems is the crux of any analysis of your organisation’s cyber security. You should consider in particular whether your data systems are vulnerable to hackers, computer viruses or malware. Other threats include the impact of a natural disaster, total system shutdown and employee errors in data processing.

Prioritising risks and subsequent actions such as staff training

Once you have identified risk you need to calculate what, if any, steps you are gong to take to reduce or eliminate that risk. This means creating a high, medium and low hierarchy of risks as follows:

  • High risk – indicates you need to address the threat immediately
  • Medium risk – should be tackled within a reasonable time frame
  • Low risk – may be addressed or company may shoulder risk without taking any remedial steps

Note that as part of your risk assessment you will have valued data and worked out what the cost to the company would be if you were to lose it. If the actions required to address the risk cost more than losing the data, it may well be worth assuming the risk.  

One of the most common threats to cyber security is human error. And it is also the type of threat that can be most effectively addressed by regular staff training and the implementation of relatively straightforward protocols internally. For example, encrypting data where possible, always upgrading IT systems and installing upgrades and fixes when advised to, using effective data retention policies and carrying out security checks on new staff. These are the sorts of actions typical cyber security risk assessments should highlight as being necessary to confront any threats identified.

Remember that every business now faces the risk of cyber attack and no risk assessment will permanently eliminate all risk. Indeed the government’s own National Cyber Security Centre (NCSC) points out – in a guide to the basics of risk management – that when you make a commercial decision to introduce new technology to your operation you must recognise the possibility that it may be compromised or destroyed by cyber criminals.

Documenting findings and next steps

Your impact assessment should identify all risks, estimate how likely it is that a threat could become real, and list recommendations on how to mitigate the risk.

Compiling an impact assessment report detailing your findings will serve as a highly useful internal tool for all those involved in data processing and for managers who need to take spending decisions. But it may also provide useful evidence of GDPR compliance if you ever come under regulatory scrutiny. After all, it demonstrates compliance with the all-important accountability procedure.

As your business grows and develops, the type of cyber risk you face will change. For many companies, cyber security risk assessments aren’t a strict legal obligation. But as we’ve shown, regular risk assessments provide tangible commercial benefits: they can reduce the cost of data processing in the long term, minimise the possibility of regulatory sanctions, and improve consumer trust in your business. In practice, they will often be an important feature of your data protection policies.

About our expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  

What next?

Our data protection lawyers advise businesses on all data protection matters, including cyber risk assessments. We’ll ensure you meet GDPR and other regulatory compliance requirements in a proportionate manner. Call us on – 0800 689 1700, email us at, or fill out the short form below with your enquiry.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry