Does Cyber Essentials cover GDPR?
No - Cyber Essentials does not cover GDPR. Cyber Essentials is a technical cybersecurity baseline; GDPR is a data-protection regulation covering lawful basis, rights, transfers, and accountability. They overlap at the technical-security boundary but neither replaces the other.
Section 01
Does Cyber Essentials cover GDPR?
No - Cyber Essentials does not cover GDPR. Cyber Essentials is a technical cybersecurity baseline; the UK GDPR (and EU GDPR) is a data-protection regulation covering lawful basis for processing, data-subject rights, international transfers, and organisational accountability. They overlap at the technical-security boundary but neither replaces the other.
Section 02
Where they overlap
UK GDPR Article 32 requires "appropriate technical and organisational measures" to ensure security of processing. The five Cyber Essentials controls - firewalls, secure configuration, user access, malware protection, and patching - map directly to the ICO's interpretation of Article 32 at the technical-baseline level.
Holding Cyber Essentials is recognised by the ICO as evidence of technical-measures compliance for GDPR purposes. It does not demonstrate compliance with the rest of GDPR.
Section 03
What GDPR requires that Cyber Essentials does not
- Lawful basis for processing. Cyber Essentials does not assess whether you have a valid lawful basis.
- Privacy notices, data-subject rights, and consent management. Out of scope.
- Records of Processing Activities (RoPA). Out of scope.
- Data Protection Impact Assessments. Out of scope.
- International data transfer mechanisms (SCCs, IDTA). Out of scope.
- Data Protection Officer designation. Out of scope.
- 72-hour breach notification process. The technical controls help detect a breach but the notification obligation sits with your data-protection governance, not the certificate.
Section 04
What Cyber Essentials requires that GDPR does not directly
- The specific 14-day patching rule for high/critical vulnerabilities.
- The specific firewall / boundary device configuration rules.
- The specific MFA requirements on admin accounts.
- The specific supported-OS rules.
GDPR requires "appropriate" technical measures; Cyber Essentials prescribes the bar the ICO considers appropriate at baseline.
Section 05
The practical answer for UK SMEs
For most UK SMEs the sensible stack is:
1. Cyber Essentials - technical baseline. Signals GDPR Article 32 compliance.
2. A published privacy notice, a documented lawful basis, a RoPA, a breach-response plan - organisational GDPR measures.
3. Optional higher tiers - IASME Cyber Assurance Level 2 or ISO 27001 where contractual or regulatory expectation requires a broader ISMS.
Cyber Essentials is a cornerstone of GDPR technical compliance, not a substitute for GDPR itself.
Section 06
Bottom line
Cyber Essentials does not cover GDPR, but it is the technical baseline the ICO recognises under Article 32. For UK SMEs, holding both a current CE certificate and a basic GDPR compliance programme (privacy notice, RoPA, breach-response plan) is the minimum credible data-protection posture.
Certify in 6 working hours with Fig Group from £299.99 + VAT.
Start Cyber Essentials from £299.99 + VAT | Cyber Essentials vs ISO 27001 | Free readiness check
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo