Unsupported Software and UK GDPR: The Compliance Risk You Cannot Ignore
Hello, Mauven here.
The phrase “appropriate technical and organisational measures” appears in Article 32 of the UK GDPR. It is not a long article. It is four paragraphs. But those three words have featured in more ICO enforcement decisions than almost any other phrase in the regulation, because they are where the law meets the reality of how organisations actually manage their technology.
This week’s podcast introduced the Milk Carton Test. I want to approach the same topic from a regulatory angle, because running out-of-support software is not just a technical risk. Depending on what that software handles and how, it may constitute a failure to implement the very measures the law requires.
What Article 32 Actually Requires
Article 32 of the UK GDPR requires controllers and processors to implement technical and organisational measures appropriate to the risk posed to personal data. The standard is not absolute. It is risk-proportionate.
But the regulation specifies factors that must be considered when determining what is “appropriate”: the state of the art, the costs of implementation, the nature and scope of the processing, and the likelihood and severity of risks to individuals. “State of the art” in a cybersecurity context means, at minimum, running software that receives security updates from its vendor. Anything less is increasingly difficult to characterise as meeting that standard.
The Information Commissioner’s Office guidance on data security is direct: organisations must “keep software up to date.” It identifies software that is no longer supported as a known risk factor that should be addressed as part of routine data security practice.
What the ICO Actually Does With This
The ICO does not issue fines for running old software in isolation. It issues fines, reprimands, and enforcement notices when organisations suffer breaches, and the post-incident investigation reveals that known, addressable vulnerabilities contributed to that breach.
The pattern is consistent. An organisation suffers a ransomware attack. The ICO investigation finds the entry point was an unpatched system. The question asked is not “did you know about this specific vulnerability?” but “did you have processes in place to manage your software lifecycle and apply available patches?” If the answer involves out-of-support software that could not receive patches, the regulatory conversation becomes considerably more difficult.
What the ICO looks for, based on its published enforcement decisions, includes: whether the organisation had documented processes for managing software updates; whether there was a known end-of-support date for the software in question; whether the organisation had risk-assessed the continued use of that software; and whether any compensating controls were in place.
An organisation that can produce a documented risk assessment, a migration plan with a firm timeline, and evidence of compensating controls is in a categorically better position than one that knew and did nothing.
Cyber Essentials and the Government Standard
For UK businesses seeking Cyber Essentials certification, the position is less nuanced. The scheme’s technical requirements specify that all software must be “licensed and supported,” and must receive security updates from the vendor. Software that has reached end of support and is no longer receiving security patches will fail the assessment.
This matters for two reasons. First, Cyber Essentials is increasingly a commercial requirement: supply to central government requires it, and many larger private sector organisations now mandate it in their supplier contracts. Losing or failing to obtain Cyber Essentials because of out-of-support software has direct commercial consequences.
Second, Cyber Essentials v3.3, which comes into effect in April 2026, tightens requirements around patching timelines and software lifecycle management. The new version requires that high-severity vulnerabilities be patched within 14 days of a patch becoming available. If no patch is available because the software is out of support, the requirement cannot be met.
The Special Categories Problem
Not all personal data carries the same regulatory weight. UK GDPR identifies “special category” data types that attract significantly higher protection obligations: health data, biometric data, data revealing racial or ethnic origin, trade union membership, religious or philosophical beliefs, genetic data, and data concerning sex life or sexual orientation.
The significance for small businesses is broader than it might seem. A dental or GP practice using an old PC for patient record management is handling special category health data. A community sports club holding data about injuries or disability accommodations may be touching special category data.
For any organisation handling special category data on out-of-support systems, the risk assessment calculus shifts considerably. The ICO’s scrutiny in the event of an incident will be correspondingly more intense.
The Three-Part Risk Assessment
If your organisation is currently using out-of-support software that handles personal data, and migration is not immediately feasible, there is a responsible way to manage the regulatory risk. It has three components.
Document the risk. Write down what the software is, when support ended, what personal data it handles, and why migration has not yet occurred. The ICO does not expect perfection. It expects organisations to understand their own risk landscape and manage it consciously.
Implement compensating controls. Network segmentation: take the out-of-support device off the main network where possible. Access restriction: limit who can log in. Internet access restriction: if the device does not need internet access for its primary function, block it. None of these controls are as good as running supported software, but they demonstrate that the risk has been assessed and managed.
Set a firm migration date. A documented plan with a realistic deadline is evidence, if an incident occurs, that the organisation understood the risk and was actively addressing it. “We knew and had no plan” is the worst possible position in an ICO investigation.
What This Means in Practice for Small Businesses
The regulatory framework does not require perfection. It requires proportionate, documented, conscious risk management.
The businesses that will face the most difficult regulatory conversations are not necessarily the ones that had old software. They are the ones that had old software, knew about it, did nothing about it, suffered a breach, and had nothing to show for their inaction except an unanswered IT support ticket from 2023.
Don’t be that business.
How to Turn This Into a Competitive Advantage
Documented data security practices are increasingly a differentiator in procurement and B2B relationships. If you can demonstrate to a prospective client, or to a procurement committee, that your organisation maintains a software asset inventory and has a process for managing end-of-support situations, you are providing concrete evidence of responsible data stewardship.
For businesses handling client data: this is a conversation worth initiating proactively. Clients who hand you access to their customer records, financial data, or employee information should care whether you are running supported software. The ones who ask will remember the organisations that gave a clear, confident answer.
How to Sell This to Your Board
The regulatory narrative. ICO enforcement in data breach cases consistently examines whether appropriate technical measures were in place. “We were running out-of-support software” is the last thing you want as the first line of an investigation finding.
The certification narrative. Cyber Essentials v3.3, live from April 2026, tightens requirements around supported software. Certification failure has direct commercial consequences for anyone supplying regulated or public sector clients.
The insurance narrative. Ask your broker directly: “Does our current policy cover incidents where the entry point was found to be an out-of-support system?” Get the answer in writing.
Sources
Related Posts:
- The Milk Carton Test: Does Your Tech Have an Expiry Date?
- Windows 10 Is Dead: Is Your Business Still Running It?
- Cyber Insurance Claims Are Being Denied — And It’s Your Fault