UK regulators are paying increasing attention to identity security. From the Information Commissioner's Office (ICO) to the National Cyber Security Centre (NCSC), British organisations are receiving clear guidance on how to approach identity security. Here's what you need to know.
ICO guidance on identity data
The ICO has published extensive guidance on how GDPR applies to identity data:
Data minimisation
Under UK GDPR, organisations must collect only what's necessary. For identity data, this means:
- Collecting only identity attributes actually needed for purpose
- Regularly reviewing whether collected data remains necessary
- Deleting identity data when no longer needed
- Avoiding "just in case" data collection
Security requirements
The ICO expects appropriate technical measures:
- Access controls limiting who can view identity data
- Encryption protecting identity data at rest and in transit
- Logging tracking access to identity data
- Regular testing of security measures
Breach notification
When identity data is compromised, the ICO requires:
- Notification within 72 hours of becoming aware
- Documentation of the breach and its effects
- Evidence of root cause analysis
- Demonstration of remediation
Accountability
Organisations must demonstrate compliance:
- Documented policies on identity data processing
- Records of processing activities
- Evidence of regular reviews
- Data protection impact assessments for-risk processing
NCSC publications on identity
The National Cyber Security Centre has published guidance specifically relevant to identity security:
Zero Trust Architecture
The NCSC's Zero Trust publications emphasise:
- Verify explicitly - authenticate and authorise based on all available data points
- Least privilege access - limit user access with Just-in-Time and Just-enough-Access
- Assume breach - minimise blast radius and segment access
For UK organisations, this translates to:
- Phishing-resistant MFA (FIDO2, authenticator apps)
- Regular access reviews
- Micro-segmentation where appropriate
- Continuous verification rather than point-in-time checks
Identity and Access Management
The NCSC's IAM guidance covers:
- Effective credential management
- MFA implementation
- Access control models
- Monitoring and logging
Cloud security guidance
For organisations using cloud services:
- Understanding shared responsibility models
- Configuring identity in cloud environments
- Managing cloud-native access controls
FCA expectations for financial services
The Financial Conduct Authority expects financial services firms to:
Operational resilience
- Identify and mitigate cyber risks including identity threats
- Maintain business continuity plans
- Test incident response capabilities
Third-party risk management
- Due diligence on identity vendors
- Ongoing monitoring of supplier security
- Contractual requirements for security
Governance
- Board-level oversight of cyber risk
- Clear accountability for identity security
- Regular reporting to senior management
What the regulators are seeing
From ICO enforcement actions and NCSC publications, we can see regulators' concerns:
Common failures
- Inadequate access controls on identity data
- Failure to implement MFA
- Insufficient logging and monitoring
- Poor handling of identity data breaches
- Lack of data minimisation
Enforcement trends
The ICO has taken action against organisations for:
- Insecure handling of employee identity data
- Failure to respond to data subject requests
- Inadequate security measures
- Unlawful sharing of identity data
Guidance emphasis
Recent regulatory guidance emphasises:
- Privacy by design for identity systems
- Automated approaches to compliance
- Regular testing and validation
- Clear documentation of decisions
How to align with regulatory expectations
For ICO compliance
- Map your identity data: Understand what identity data you hold, where it is, and why
- Implement access controls: Ensure only those who need identity data can access it
- Document your basis: Have clear legal bases for processing identity data
- Respond to requests: Have processes for handling data subject requests
- Report breaches: Have breach detection and notification procedures
For NCSC alignment
- Implement phishing-resistant MFA: Prioritise FIDO2 or authenticator app MFA
- Apply least privilege: Review access regularly, remove unnecessary permissions
- Verify continuously: Move beyond point-in-time checks to continuous verification
- Monitor for anomalies: Implement logging and alerting on identity anomalies
For FCA requirements (if applicable)
- Board reporting: Ensure identity security is a board-level topic
- Vendor due diligence: Apply due diligence to identity vendors
- Incident response: Include identity incidents in your response plans
- Testing: Regularly test identity security controls
The regulatory outlook
Regulatory focus on identity security is intensifying:
NIS2 implementation
The UK's implementation of NIS2 will add requirements for:
- Identity risk management
- Supply chain security
- Incident notification
- Board accountability
AI regulation
Upcoming AI regulation will create new obligations:
- Transparency requirements for AI-driven identity decisions
- Human oversight of automated identity processes
- Documentation of AI system decisions
Cyber insurance alignment
Insurers are increasingly requiring evidence of:
- Identity security controls
- Access review processes
- MFA implementation
- Incident response capabilities
Building regulatory confidence
Organisations that demonstrate strong identity security to regulators typically:
- Document everything: Policies, procedures, decisions, and reviews
- Test regularly: Penetration testing, access reviews, breach simulations
- Respond promptly: Fast, effective response to incidents and requests
- Show improvement: Evidence of continuous security enhancement
- Engage proactively: Work with regulators, report issues early
The regulators are offering guidance. The question is whether your organisation is listening—and acting.