Home / Publications / Data Law Navigator | United Kingdom

Data Law Navigator | United Kingdom

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security >>


Data Protection

Last reviewed March 2020

Risk scale

Risk Scale Red

Laws

  • The EU GDPR continues to apply directly in the UK during the Brexit transition period.
  • The Data Protection Act 2018 (DPA) covers general processing of personal data in the UK.
  • The DPA supplements the EU GDPR by filling in sections in the EU GDPR left to individual EU Member States to interpret and implement.
  • Data Protection (Charges and Information) Regulations 2018 set out the circumstances in which Data Controllers are required to pay a charge, and provide information, to the Information Commissioner.
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) covers requirements for electronic communications networks and services, including cookies and direct marketing by electronic means. PECR implement the EU Privacy and Electronic Communications Directive (e-Privacy Directive) in the UK. This remains in force but should now be interpreted in line with GDPR and the DPA.
  • With effect from 29 March 2019, Regulation 8 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 confirmed that the GDPR standard is also required under PECR.

Authority

Information Commissioner’s Office (ICO): https://ico.org.uk/

Anticipated changes to law

The new EU e-Privacy Regulation is set to replace the e-Privacy Directive in relation to the privacy of electronic communications. In effect, this will replace local EU Member State ePrivacy laws. This is still in the legislative process, with no definite timeframe for implementation.

Upon leaving the EU, the UK will not be automatically subject to the new ePrivacy Regulation. However, it is likely that the UK will seek to achieve alignment to some degree between PECR and the new Regulation.

Brexit

The UK and the EU agreed a withdrawal agreement marking the end of the period under Article 50 TEU and the start of a transition period until 31 December 2020. 
During the transition period, the UK will continue to apply EU law but will no longer be represented in the EU institutions. The transition period can be extended once for a period of up to one or two years, if both sides agree to this before 1 July 2020.

The negotiations on the future partnership between the EU and the UK are ongoing.  As the situation is fast-changing, we do not comment on the anticipated changes to law relating to Brexit here, but please speak to your CMS contact in the UK for the most up-to-date guidance.

If applicable: stage of legislative implementation of GDPR

DPA implemented. The DPA refers to the right of the Secretary of State to exercise certain powers through further regulations on specific topics. None have yet been drafted or implemented, save for the Data Protection (Charges and Information) Regulations 2018 (set out above) and the Data Protection (Charges and Information Amendment Regulations 2019 which exempt certain processing by members of the House of Lords and elected and prospective representatives from the former.

The ICO consulted on a draft code of practice on age-appropriate design for information society services until 31 May 2019 and on a data protection and journalism code until 27 May 2019, each as required under the DPA. The outcome of the consultations will follow in due course.

If applicable: local derogations as permitted by GDPR 

  • Children. The DPA uses 13 as the age at which consent is required from the person with parental authority under GDPR.
  • Special categories and criminal records information. The DPA includes detailed bases upon which special categories of personal data and criminal conviction data can be processed for the purposes of Art 9 and 10 GDPR. These are included in Schedule 1 of the DPA which sets out when they apply and any specific conditions that must be met. Specifically:
    • Employment, social security and social protection;
    • Health or social care purposes;
    • Public health;
    • Research;
    • Substantial public interest conditions including:
      • Government purposes;
      • Administration of justice and parliamentary purposes;
      • Equality of opportunity and treatment;
      • Racial and ethnic diversity and senior levels of organisations;
      • Preventing and detecting unlawful acts;
      • Protecting the public against dishonesty;
      • Regulatory requirements relating to unlawful acts and dishonesty;
      • Journalism in connection with unlawful acts and dishonesty;
      • Preventing fraud;
      • Suspicion of terrorist financing or money laundering;
      • Support for individuals with a particular disability or medical condition;
      • Counselling;
      • Safeguarding of children and individuals at risk;
      • Safeguarding of economic well-being of certain individuals;
      • Insurance;
      • Occupational pensions;
      • Political parties;
      • Elected representatives responding to requests;
      • Disclosure to elected representatives;
      • Informing elected representatives about prisoners;
      • Publication of legal judgments;
      • Anti-doping in sport;
      • Standards of behaviour in sport.
    • Additional conditions relating to criminal convictions:
      • Consent
      • Protecting individual’s vital interests;
      • Processing by not-for-profit bodies;
      • Personal data in the public domain;
      • Legal claims;
      • Judicial acts;
      • Administration of accounts used in commission of indecent offences involving children;
      • Insurance.
  • Credit reference agencies. Specific requirements and limitations for credit reference agencies are included in Section 13, DPA.
  • Automated decision-making. The DPA provides that this may be conducted where required or authorised by law but the DPA does not yet give such legal authority. It includes provision for notification of specific information to data subjects about automated decision making required or authorised by law within one month.
  • Exemptions to data subject rights. Section 15, DPA contains certain exemptions and restrictions in respect of data subject rights contained in GDPR which are set out in Schedule 2, DPA. In addition, Schedule 3 contains restrictions in the area of health, social work, education and child abuse. Specific provisions include:
    • Crime and taxation;
    • Immigration;
    • Information required to be disclosed by law or in connection with legal proceedings;
    • Legal professional privilege;
    • Self-incrimination;
    • Corporate finance;
    • Management forecasts;
    • Confidential references;
    • Exam scripts and exam marks
    • Journalistic, academic, artistic and literary purposes;
    • Health data;
    • Social work data;
    • Education data;
    • Child abuse data;
    • Statutory prohibition.
  • Archiving, research, statistical purposes. Section 19, DPA contains certain safeguards relating to processing that is necessary for archiving in the public interest that is necessary for scientific or historical research purposes or is necessary for statistical purposes. It includes UK specific references for approved medical research with reference to existing statutes and a definition for NHS body.
  • Law enforcement and intelligence services. Part 3, DPA contains specific provisions relating to law enforcement. Part 4 contains specific provisions relating to intelligence services processing.
  • ICO. Part 5, DPA, sets out the appointment of the Information Commissioner as the UK’s supervisory authority and contains details regarding its function and involvement in co-operation and mutual assistance. Part 6, DPA deals with enforcement powers.

Scope

The DPA applies to the processing of personal data and includes the derogations from the GDPR.

The PECR complement the DPA and set out more specific privacy rights concerning electronic communications. However, the PECR apply even if you are not processing personal data. PECR does not include a specific territorial application.

The DPA contains the same territorial scope as the GDPR.

Penalties/enforcement

Part 6, DPA contains details regarding enforcement.

ICO Powers

The ICO has the following powers:

  • To impose information notices;
  • To impose assessment notices;
  • To impose enforcement notices;
  • Entry and inspection;
  • To impose fines:
    • Of a maximum of 20 million Euros or 4% of the undertakings total annual worldwide turnover in the preceding financial year, whichever is the higher; or
    • 10 million Euros or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is the higher.
Data Subject Claims

A data subject may (in addition to making a complaint to the ICO) also make a claim to the courts and an individual may have a right to compensation for material or non-material damage (which includes distress).

Offences

There are certain specific offences under the DPA including:

  • Unlawful obtaining of personal data (could result in a summary conviction, or conviction on indictment to a fine).
  • Re-identification of de-identified personal data (could result in a summary conviction, or conviction on indictment to a fine).

Alteration of personal data to prevent disclosure to the data subject (could result in summary conviction or a fine).

Registration/notification 

Under the Data Protection (Charges and Information) Regulations 2018, there is a requirement on Data Controllers to pay data protection fees to the ICO.

The new data protection fee replaces the requirement to ‘notify’ (or register), which was the case under previous data protection regulation.

Main obligations and processing requirements

Data Processing Principles

Art 5(1) GDPR sets out the seven data protection principles that must be complied with when processing personal data:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
Demonstrating compliance

Art 5(2) GDPR includes a new accountability principle, which means that Data Controllers must be able to demonstrate how they are complying with their obligations under the principles in Art 5(1) (set out above).

Art 24 GDPR includes the obligation to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the GDPR. Implementing adequate data protection policies and adhering to approved data protection codes of conduct or approved certification mechanisms are ways to demonstrate compliance with this obligation.

Transparency information

Data controllers are required to inform data subjects of information relating to the processing of their personal data collected.  This involves information relating to the personal data processed, who the data is processed by and for what purposes the data is processed. The full list of information to be provided to a data subject is provided in Art 13 and 14 GDPR.

This information is to be provided at the time the personal data is obtained from the data subject. However, in the event the data is not obtained directly from the data subject, the information must be provided by the data controller within a reasonable period, and no later than at the point of sharing the data with another party or at the time of first communication when using the data to communicate with the data subject. In any event, the information should be communicated no later than a month after obtaining the personal data.

Lawful basis of processing

Art 6 GDPR requires a data controller to have a valid lawful basis in order to process personal data.

There are six available lawful basis for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on the purpose of processing and relationship with the data subject. The lawful basis for processing are as follows:

  • Consent: the individual has given clear consent for a data controller to process their personal data for a specific purpose.
  • Contract: the processing is necessary for the performance of a contract between a data controller and the data subject or because the data subject has asked the data controller take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for a data controller to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary for a data controller to perform a task in the public interest or for official functions, and the task or function has a clear basis in law. Section 8, DPA sets out that this includes:
    • the administration of justice;
    • exercise of a function of either House of Parliament;
    • exercise of a function conferred on a person by an enactment or rule of law;
    • exercise of a function of the Crown, a minister of the Crown or a government department; or
    • an activity that supports or promotes democratic engagement.
  • Legitimate interests: the processing is necessary for a data controllers legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the data subject’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Special categories of personal data and criminal convictions personal data

Where special categories of personal data is processed, a lawful basis under Art 6 must be met plus one of a further list of more stringent conditions in Art 9 GDPR. Special categories of personal data refers to information about an individual’s race; ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetics or biometrics (where used for ID purposes); health; sex life or sexual orientation.

There is a choice of ten conditions in the GDPR itself pursuant to which special category data can be processed. 
Where personal data relating to criminal offences or convictions (or related security measures) (“criminal data”) is processed, a lawful basis under Art 6 must be met plus the processing must either be carried out under the control of official authority or be authorised under EU or Member State Law (Art 10, GDPR).  

Section 10 and Schedule 1, DPA introduce additional conditions and safeguards for processing both special categories of personal data and criminal data (as summarised in the derogations section above).

Records of processing

Art 30 GDPR contains a new requirement for businesses employing 250 or more people, or processing personal data frequently, to keep detailed records of personal data processing activities that as a minimum set out the information contained in Art 30 GDPR.

Different information has to be included in these records requirements depending on whether an organisation is Data Controller or a Data Processor. The ICO has released a template document detailing an approach to take to fulfil the records of processing obligation; however, this document serves as an example and is not binding.

Data subject rights

Under Art 15 – 22 GDPR, data subject have the  following rights:  

  • The right to information and transparency.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • right not to be subject to a decision based solely on automated processing, including profiling.

The DPA however contains restrictions on these data subject rights (as covered in the derogations section above).

Data Controllers are required to comply with requests from data subjects exercising these data subject rights, without undue delay and in any event within one month of receipt of the request (subject to some very limited exceptions).

Processing by third parties

Under Art 28 GDPR, data controllers are required to ensure that any data processors (or sub-processors) engaged (for example contractors or suppliers) are assessed to ensure they comply with the GDPR. Further, specific contractual provisions must be put in place with such entities in line with the specific items set out in Art 28 GDPR.

Transfers out of country

Art 44 GDPR imposes restrictions on the transfer of personal data  to a third party or an international organisation outside of the European Union unless the transfer is to an adequate jurisdiction (Art 45 GDPR), a lawful transfer mechanism exists (Art 46 GDPR), or an exemption or derogation applies (Art 49 GDPR).

Some of the Art 49 GDPR exceptions to the restriction, are:

  • where the transfer is made with an individual’s informed consent;
  • where a transfer is necessary for the performance of a contract between the individual and the organisation;
  • where a transfer is necessary for the performance of a contract made in the interests of the individual between the data controller and another person.

Data Protection Officer

Under the GDPR, certain organisations are required to have a Data Protection Officer (DPO).

The obligation to have a DPO, applies where (Art 37(1) GDPR):

  • the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

If a DPO is required, additional obligations are imposed on the organisation, involving the position and the tasks of the DPO. These obligations are set out in Art 38 & 39 GDPR and include the requirement that the DPO:

  • is designated on the basis of their expert knowledge of data protection law and practices;
  • reports to the highest management level of the data controller; and
  • is involved in all issues which relate to the protection of personal data within the organisation.

Security

Under Art 32 GDPR, Data Controllers are required to implement appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.

The following are examples of the security measures expected:

  • pseudonymisation and encryption of personal data;
  • ensuring ongoing confidentiality, integrity, availability and resilience of processing systems; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Breach notification

Under Art 33 GDPR, where there is a personal data breach, there is an obligation on the data controller to make notifications to the ICO without undue delay and (where feasible) within 72 hours from when it becomes aware of the breach (unless the breach is unlikely to result in a risk to the rights and freedoms of individuals).

Note: “aware” here is when the Data Controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, there is an additional obligation on the Data Controller under Art 34 GDPR, to notify the affected individuals without undue delay. This requirement to notify affected individuals does not apply if:

  • the Data Controller has implemented security measures to the affected personal data which render the data unintelligible to anyone without proper access (e.g. encryption); or
  • the Data Controller takes measures which ensure the high risk posed initially is unlikely to materialise; or
  • it would involve disproportionate effort to make such notification(s) but the Data Controller has instead used a public communication (such as a website notice) or similar measure to ensure all affected individuals are informed effectively.

There is an obligation on Data Processors under Art 33(2) GDPR to notify the Data Controller for which it processes the affected personal data, without undue delay.

The Data Controller is allowed to undertake a short period of investigation in order to establish whether a breach has in fact occurred. During this period of investigation, the Data Controller will not be regarded as being “aware”. However, it is expected that this initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place. This should be a short investigation; a more comprehensive exercise should follow after establishing a breach has occurred.

Direct marketing

For B2C direct marketing, PECR prohibits unsolicited electronic communications for direct marketing purposes without prior consent from the individual, unless:

  • the consumer has provided their relevant contact details in the course of purchasing a product or service from the person proposing to undertake the marketing;
  • the marketing relates to offering a similar product or service; and
  • the consumer was given a means to readily opt out of the use of their details for direct marketing purposes, both when their details were collected and in each subsequent marketing communication.    

For B2B direct marketing, the requirements are less stringent and such marketing can be done on an “opt out” basis.  The rules still require that the sender must identify itself and provide contact details. Sole traders and some partnerships have the same rights as consumers (see above).

For both B2B and B2C direct marketing, individuals always have a right to object at any time (Article 21(3), GDPR).

Cookies

Cookies are covered by PECR. The basic rule is that you must:

  • notify users that cookies are used;
  • explain what the cookies are used for and why;
  • get the user’s consent to store a cookie on their device unless the cookie is:
    • used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and
    • strictly necessary for the provision of a service requested by the user.

Cookies consent under PECR means consent to the same standard as is required under the GDPR. (See Article 4(11), GDPR.)

Useful links


Cyber Security

Last reviewed March 2020

Risk Scale

Risk Scale Orange

Laws and regulations

Including but not limited to:

  • The Network and Information Systems Regulations 2018 (NISD Regulations)
  • The Network Information Systems Directive (NISD)
  • Communications Act 2003
  • The ePrivacy Directive
  • Privacy and Electronic Communications (EC Directive) Regulations 2003
  • Data Protection Act 2018 (DPA)
  • General Data Protection Regulation (GDPR)
  • Computer Misuse Act 1990 
  • eIDAS Regulation
  • Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (UK eIDAS Regulation)

Anticipated changes to law

Brexit

The UK and the EU agreed a withdrawal agreement marking the end of the period under Article 50 TEU and the start of a transition period until 31 December 2020. 
During the transition period, the UK will continue to apply EU law but will no longer be represented in the EU institutions. The transition period can be extended once for a period of up to one or two years, if both sides agree to this before 1 July 2020.
The negotiations on the future partnership between the EU and the UK are ongoing.  As the situation is fast-changing, we do not comment on the anticipated changes to law relating to Brexit here, but please speak to your CMS contact in the UK for the most up-to-date guidance.

Application 

NISD Regulations / NISD

The NISD was implemented in the UK on 10 May 2018 by the NIS Regulations.

The NIS Regulations applies to Operators of Essential Services (OES), and Digital Service Providers (DSPs).

OES
  • OES are organisations (public or private) within vital sectors that provide services essential to the economy and society which place a heavy reliance on information networks.
  • OES are operators in the following sectors that meet certain threshold requirements:
    • sector (energy, transport, health sector, drinking water supply and distribution and digital infrastructure)
    • subsector – specific elements within an individual sector
    • essentials service – describing the specific type of service
    • identification thresholds – size or impact of incident
  • Banking and financial markets infrastructure are omitted as they are already subject to equivalent regulatory requirements.
DSPs
  • A DSP is an organisation that: 
    • provides a digital service in the UK as a search engine, online marketplace or cloud computing service; and
    • has a head office or a nominated; and representative who is established in the UK;
    • is not a micro and small enterprise.

Both OES and DSPs must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems. These measures taken must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed.

Communications Act 2003 (CA)

The CA provides that Public Electronic Communications Network (PECN) providers and Public Electronic Communications Service (PECS) providers take technical and organisational measures to manage risks to the security of PECNs and PECSs.

Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) / ePrivacy Directive:
The ePrivacy Directive was implemented in the UK on 11 December 2003 by PECR, which has been amended several times, most recently in 2019.

The PECR compels PECS providers to take technical and organisational measures to ensure the security of its services by restricting who can access personal data and protect the way it is stored or transmitted.

Data Protection Act 2018 (DPA) / GDPR

The DPA / GDPR applies when personal data is being processed. Data protection law imposes obligations: 

  • on Data Controllers to process personal data in a manner that ensures appropriate security of the data (‘integrity and confidentiality’) (Article 5(1), GDPR);
  • on Data Controllers to observe data protection by design and default principles when building systems and processes;
  • on both Data Controllers and Data Processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32, GDPR); and
  • on Data Controllers to report personal data breaches to data protection authorities and inform affected individuals; Data Processors are obliged to inform the Data Controller if they become aware of a breach.
Computer Misuse Act 1990 (CMA)

The CMA does not impose security obligations on businesses or individuals as such, but creates various cybercrime offences, criminalising acts such as unauthorised access or interference with a computer.

eIDAS Regulation / UK eIDAS Regulation

The eIDAS Regulation came into effect on 1 July 2016 and has direct effect in UK law. It is supplemented by the UK eIDAS Regulation.

The eIDAS Regulation provides a framework which allows EU citizens to use electronic identification to access online public services in other EU Member States.  It also sets out requirements for trust services, setting out what trust service providers need to do in order to gain qualified status, and allows them to use an EU trust mark.

Authority

NIS

OESs and DSPs will be regulated by their relevant Competent Authority (CA). In Schedule 1 of the NIS Regulations there is a list of CAs in respect of the OESs, which are sector specific, for example:

  • the Secretary of State for Health (supported by NHS Digital) will be the CA for the healthcare sector; and
  • Ofcom will be the CA for the telecoms sector.

The Information Commissioner’s Office (ICO) will be the CA in respect of the DSPs. 

CA

Ofcom regulates PECNs and PECS’s and must be notified by them if there is a breach of security.

PECR

The ICO is the regulator responsible for the administration of PECR.

DPA / GDPR

The ICO is the regulator responsible for the administration of applicable data protection laws in the UK.

eIDAS

The ICO is the UK supervisory body for the trust service provisions of the eIDAS Regulation as provided by the UK eIDAS Regulation. It reports on security breaches, can carry out audits and take enforcement action.

Key obligations

NIS Regulations
  • An OES must notify their designated CA “about any incident which has a significant impact on the continuity of the essential service which that OES provides”. The NIS Regulations provide a number of factors an OES must have regard to in order to determine the significance of the impact of an incident.
  • A DSP must notify the ICO “about any incident having a substantial impact on the provision of any of the digital services …that it provides.” The requirement to notify is only if the DSP has access to information which enables it to assess whether the impact of an incident is substantial. The NIS Regulations provides a number of factors the DSP must take into account in order to determine whether the impact of an incident can be determined to be ‘substantial’
CA
  • A PECN must notify Ofcom of a breach of security that has a significant impact on the operation of a PECN, and of a reduction in the availability of a PECN that has a significant impact on the network.
  • A service provider must notify Ofcom of a breach of security which has a significant impact on the operation of a PECS.
  • After such notification, Ofcom may notify national regulatory authorities in other Member States and the European Network Information Security Agency. Ofcom may also inform the public of a notification either itself or require the PECN provider or PECS provider to do so if Ofcom considers this is in the public interest.
PECR
  • In the case of a data breach, a PECS provider must notify the ICO of the breach within 24 hours of detection, notify the individuals affected in certain cases and maintain a log of personal data breaches.
  • If the breach is likely to adversely affect the personal data or privacy of a subscriber or user, they must also be notified of the breach without undue delay after its detection.
  • The PECS provider is required to maintain a log of personal data breaches to enable the ICO to verify compliance with PECR.
DPA / GDPR
  • Where there is a personal data breach, there is an obligation on the Data Controller to make notifications to the ICO without undue delay and (where feasible) within 72 hours from when it becomes aware of the breach (unless the breach is unlikely to result in a risk to the rights and freedoms of individuals).
  • It may also be necessary to notify affected individuals that a data breach has occurred.CMA
  • Offences include unauthorised access to computer material (with or without intent to commit further offences); unauthorised acts with intent to impact the operation of a computer (viruses, malware, etc.)
eIDAS
  • Trust service providers are obliged to take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide, in particular measures to prevent and minimise the impact of security incidents.
  • Where an electronic identification scheme is breached or partly compromised and there is a “significant impact”, there is an obligation on the trust service provider to notify the ICO within 24 hours. 
  • If users are likely to be affected, they must also be notified.
  • In some circumstances, ICO may decide to inform the wider public about a breach or require the trust service provider to do so.
  • The ICO may also suspend or revoke the cross-border authentication or the parts concerned and inform other EU Member States and the European Commission.

Penalties/Enforcement

NIS Regulation

Organisations that contravene the NIS Regulation are subject to a maximum financial penalty of £17 million for a material contravention which the relevant enforcement authority determines has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the UK economy.

Designated CAs will monitor OESs’ compliance through an auditing process to prevent non-compliance.

DSPs will not be audited, with enforcement being applied to DSPs after an incident has occurred, or if a DSP is reported to the CA as being non-compliant.

It is possible to be fined under both the NIS Regulations and the GDPR for the same incident (so-called ‘double jeopardy’) provided there are distinct bases for doing so (i.e. there is a breach of data protection law, and a separate breach of the NIS Regulations).

CA 

Ofcom can impose fines of up to £2,000,000 and suspend entitlement to provide network or services, as audit and investigatory powers. 

PECR

The ICO can: 

  • audit PECS providers;
  • impose enforcement notices, information notices and monetary penalty notices of up to £500,000 on PECS providers;
  • prosecute PECS providers for failure to comply with a notice; and
  • carry out 'dawn raid' search and seizure investigations with a warrant. 

A PECS provider that fails to comply with the breach notification requirement may be subject to a fixed monetary penalty notice of £1,000.

Individuals who suffer damage as a result of a PECS provider's breach of the PECR may bring compensation claims.

DPA / GDPR

See “Data Protection” above.

CMA

Offences under section 3ZA will be tried on indictment and are punishable by life imprisonment if the damage is in respect to life, loss of life or national security, or to 14 years for damage to the economy. This also extends to making articles intended for use in such offence. 

The ICO can also bring prosecutions under the CMA.

UK eIDAS Regulation

The ICO has powers to:

  • do audits, and make recommendations;
  • serve an Enforcement Notice order if there has been a breach, requiring specified steps to be taken comply with the law;
  • issue a Monetary Penalty Notice requiring payment of £1,000; and
  • prosecute organisations that fail to comply with an Enforcement Notice (excluding in Scotland); and
  • make reports to Parliament on issues of concern.  

If an organisation fails to comply with an ICO enforcement notice, assessment notice (for a compulsory audit) or information notice, the ICO can also invoke its powers to impose fines up to the higher of €20 million, or 4% of total worldwide annual turnover. 

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The NCSC (which is part of GCHQ) does not regulate the NIS Regulations but has a role in providing technical support and guidance by the following:

  • a Single Point of Contact (SPOC) – for engagement with EU partners, coordinating requests and submitting annual incident statistics
  • a Computer Security Incident Response Team (CSIRT) to provide advice and support where reported incidents are identified / suspected of having a cyber security aspect.
  • being a Technical Authority on Cyber Security – to support OESs and CAs with advice/ guidance and act as a source of technical expertise. For example, it provides:
    • a set of 14 NIS Security Principles for securing essential services;
    • a collection of supporting guidance for each principle;
    • a Cyber Assessment Framework (CAF) incorporating indicators of good practice; and
    • implementation of guidance and support to CAs.     

Is there a national incident management structure for responding to cybersecurity incidents?

Yes, see above.

Other cybersecurity initiatives

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time to increase awareness with the aim of reducing the impact of cybersecurity breaches on UK business.

Cyber Essentials is a government scheme aimed at highlighting security controls that will help organisations mitigate the risk to their IT systems from internet-based threats. The scheme focuses on five essential mitigations within the context of the 10 Steps to Cyber Security. It provides organisations with guidance on implementation, as well as offering independent certification for those who need it.

Useful links

 
<< back to Overview

Authors

Picture of Emma Burnett
Emma Burnett
Partner
London
James Colvin
James Colvin
Associate
London
Joseph Ndep
Joseph Ndep
Associate
London
Katherine Eyres
Show more Show less