Data Law Navigator | United Kingdom
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last reviewed 13 June 2019
- The Data Protection Act 2018 (DPA) covers general processing of personal data and implements the derogations from GDPR.
- Data Protection (Charges and Information) Regulations 2018 set out the circumstances in which data controllers are required to pay a charge, and provide information, to the Information Commissioner.
- GDPR took effect on 25 May 2018.
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) covers requirements for electronic communications networks and services, including cookies and direct marketing by electronic means The regulations implement the EU Privacy and Electronic Communications Directive (e-Privacy Directive) in the UK. This remains in force but should now be interpreted in line with GDPR and the DPA.
- With effect from 29 March 2019, Regulation 8 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 confirmed that the GDPR standard is also required under PECR.
Information Commissioner’s Office (ICO): https://ico.org.uk/
Anticipated changes to law
The new EU e-Privacy Regulation is set to replace the e-Privacy Directive. In effect, this will replace PECR, the UK’s implementation of the e-Privacy Directive. This is still in the legislative process, with no definite timeframe for implementation.
In the final stages before the UK leaves the EU, whether the UK will leave with an agreement with the EU or not, and what the terms of any such agreement would be, are currently uncertain. As the situation is fast-changing, we do not comment on the anticipated changes to law relating to Brexit here, but please speak to your CMS contact in the UK for the most up-to-date guidance.
If applicable: stage of legislative implementation of GDPR
DPA implemented. The DPA refers to the right of the Secretary of State to exercise certain powers through further regulations on specific topics. None have yet been drafted or implemented, save for the Data Protection (Charges and Information) Regulations 2018 (set out above) and the Data Protection (Charges and Information Amendment Regulations 2019 which exempt certain processing by members of the House of Lords and elected and prospective representatives from the former. The ICO consulted on a draft code of practice on age-appropriate design for information society services until 31 May 2019 and on a data protection and journalism code until 27 May 2019, each as required under the DPA. The outcome of the consultations will follow in due course.
If applicable: local derogations as permitted by GDPR
- Children. The DPA uses 13 as the age at which consent is required from the person with parental authority under GDPR.
- Special categories and criminal records information. The DPA includes detailed bases upon which special categories of personal data and criminal conviction data can be processed for the purposes of Art 9 and 10 GDPR. These are included in Schedule 1 of the DPA which sets out when they apply and any specific conditions that must be met. Specifically:
- Employment, social security and social protection;
- Health or social care purposes;
- Public health;
- Substantial public interest conditions including:
- Government purposes;
- Administration of justice and parliamentary purposes;
- Equality of opportunity and treatment;
- Racial and ethnic diversity and senior levels of organisations;
- Preventing and detecting unlawful acts;
- Protecting the public against dishonesty;
- Regulatory requirements relating to unlawful acts and dishonesty;
- Journalism in connection with unlawful acts and dishonesty;
- Preventing fraud;
- Suspicion of terrorist financing or money laundering;
- Support for individuals with a particular disability or medical condition;
- Safeguarding of children and individuals at risk;
- Safeguarding of economic well-being of certain individuals;
- Occupational pensions;
- Political parties;
- Elected representatives responding to requests;
- Disclosure to elected representatives;
- Informing elected representatives about prisoners;
- Publication of legal judgments;
- Anti-doping in sport;
- Standards of behaviour in sport.
- Additional conditions relating to criminal convictions:
- Protecting individual’s vital interests;
- Processing by not-for-profit bodies;
- Personal data in the public domain;
- Legal claims;
- Judicial acts;
- Administration of accounts used in commission of indecent offences involving children;
- Credit reference agencies. Specific requirements and limitations for credit reference agencies are included in Section 13, DPA.
- Automated decision-making. The DPA provides that this may be conducted where required or authorised by law but the DPA does not yet give such legal authority. It includes provision for notification of specific information to data subjects about automated decision making required or authorised by law within one month.
- Exemptions to data subject rights. Section 15, DPA contains certain exemptions and restrictions in respect of data subject rights contained in GDPR which are set out in Schedule 2, DPA. In addition, Schedule 3 contains restrictions in the area of health, social work, education and child abuse. Specific provisions include:
- Crime and taxation;
- Information required to be disclosed by law or in connection with legal proceedings;
- Legal professional privilege;
- Corporate finance;
- Management forecasts;
- Confidential references;
- Exam scripts and exam marks
- Journalistic, academic, artistic and literary purposes;
- Health data;
- Social work data;
- Education data;
- Child abuse data;
- Statutory prohibition.
- Archiving, research, statistical purposes. Section 19, DPA contains certain safeguards relating to processing that is necessary for archiving in the public interest that is necessary for scientific or historical research purposes or is necessary for statistical purposes. It includes UK specific references for approved medical research with reference to existing statutes and a definition for NHS body.
- Law enforcement and intelligence services. Part 3, DPA contains specific provisions relating to law enforcement. Part 4 contains specific provisions relating to intelligence services processing.
- ICO. Part 5, DPA, sets out the appointment of the Information Commissioner as the UK’s supervisory authority and contains details regarding its function and involvement in co-operation and mutual assistance. Part 6, DPA deals with enforcement powers.
The DPA applies to the processing of personal data and includes the derogations from the GDPR.
The PECR complement the DPA and set out more specific privacy rights concerning electronic communications. However, the PECR apply even if you are not processing personal data. PECR does not include a specific territorial application.
The DPA contains the same territorial scope as the GDPR.
Part 6, DPA contains details regarding enforcement.
The ICO has the following powers:
- To impose information notices;
- To impose assessment notices;
- To impose enforcement notices;
- Entry and inspection;
- To impose fines:
- Of a maximum of 20 million Euros or 4% of the undertakings total annual worldwide turnover in the preceding financial year, whichever is the higher; or
- 10 million Euros or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is the higher.
Data Subject Claims
A data subject may (in addition to making a complaint to the ICO) also make a claim to the courts and an individual may have a right to compensation for material or non-material damage (which includes distress).
There are certain specific offences under the DPA including:
- Unlawful obtaining of personal data (could result in a summary conviction, or conviction on indictment to a fine).
- Re-identification of de-identified personal data (could result in a summary conviction, or conviction on indictment to a fine).
- Alteration of personal data to prevent disclosure to the data subject (could result in summary conviction or a fine).
Registration / notification
Under the Data Protection (Charges and Information) Regulations 2018, there is a requirement on data controllers to pay data protection fees to the ICO.
The new data protection fee replaces the requirement to ‘notify’ (or register), which was the case under previous data protection regulation.
Controllers who have a current registration (or notification) under the previous regulation do not have to pay the new fee until that registration has expired.
Main obligations and processing requirements
Data Processing Principles
Art 5(1) GDPR sets out the seven data protection principles that must be complied with when processing personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Art 5(2) GDPR includes a new accountability principle, which means that Data Controllers must be able to demonstrate how they are complying with their obligations under the principles in Art 5(1) (set out above).
Art 24 GDPR includes the obligation to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the GDPR. Implementing adequate data protection policies and adhering to approved data protection codes of conduct or approved certification mechanisms are ways to demonstrate compliance with this obligation.
Data controllers are required to inform data subjects of information relating to the processing of their personal data collected. This involves information relating to the personal data processed, who the data is processed by and for what purposes the data is processed. The full list of information to be provided to a data subject is provided in Art 13 and 14 GDPR.
This information is to be provided at the time the personal data is obtained from the data subject. However, in the event the data is not obtained directly from the data subject, the information must be provided by the data controller within a reasonable period, and no later than at the point of sharing the data with another party or at the time of first communication when using the data to communicate with the data subject. In any event, the information should be communicated no later than a month after obtaining the personal data.
Lawful basis of processing
Art 6 GDPR requires a data controller to have a valid lawful basis in order to process personal data.
There are six available lawful basis for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on the purpose of processing and relationship with the data subject. The lawful basis for processing are as follows:
- Consent: the individual has given clear consent for a data controller to process their personal data for a specific purpose.
- Contract: the processing is necessary for the performance of a contract between a data controller and the data subject or because the data subject has asked the data controller take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for a data controller to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for a data controller to perform a task in the public interest or for official functions, and the task or function has a clear basis in law. Section 8, DPA sets out that this includes:
- the administration of justice;
- exercise of a function of either House of Parliament;
- exercise of a function conferred on a person by an enactment or rule of law;
- exercise of a function of the Crown, a minister of the Crown or a government department; or
- an activity that supports or promotes democratic engagement.
- Legitimate interests: the processing is necessary for a data controllers legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the data subject’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Special categories of personal data and criminal convictions personal data
Where special categories of personal data and criminal conviction (and related) personal data is processed, one of the above lawful basis must be met plus one of a further list of more stringent conditions in Art 9 GDPR. Special categories of personal data refers to information about an individual’s race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation.
There are ten conditions for processing special category data in the GDPR itself and to process criminal conviction personal data you must have legal or official authority. Section 10 and Schedule 1, DPA introduce additional conditions and safeguards for processing both categories of personal data (as covered in the derogations section above).
Records of processing
Art 30 GDPR contains a new requirement for businesses employing 250 or more people, or processing personal data frequently, to keep detailed records of personal data processing activities that as a minimum set out the information contained in Art 30 GDPR.
There are separate requirement for a Data Controller and a Data Processor concerning the information to be included in these records. The ICO has released a template document detailing an approach to take to fulfil the records of processing obligation; however, this document serves as an example and is not binding.
Data subject rights
Under Art 15 – 22 GDPR, data subject have the following rights:
- The right to information and transparency.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- right not to be subject to a decision based solely on automated processing, including profiling.
The DPA however contains restrictions on these data subject rights (as covered in the derogations section above).
Data controllers are required to comply with requests from data subjects exercising these data subject rights, without undue delay and in any event within one month of receipt of the request.
Processing by third parties
Under Art 28 GDPR, data controllers are required to ensure that any data processors (or sub-processors) engaged (for example contractors or suppliers) are assessed to ensure they comply with the GDPR. Further, specific contractual provisions must be put in place with such entities in line with the specific items set out in Art 28 GDPR.
Transfers out of country
Art 44 GDPR imposes restrictions on the transfer of personal data to a third party or an international organisation outside of the European Union unless the transfer is to an adequate jurisdiction (Art 45 GDPR), a lawful transfer mechanism exists (Art 46 GDPR), or an exemption or derogation applies (Art 49 GDPR).
Some of the Art 49 GDPR exceptions to the restriction, are:
- where the transfer is made with an individual’s informed consent;
- where a transfer is necessary for the performance of a contract between the individual and the organisation;
- where a transfer is necessary for the performance of a contract made in the interests of the individual between the data controller and another person.
Data Protection Officer
Under the GDPR, certain organisations are required to have a Data Protection Officer (DPO).
The obligation to have a DPO, applies where (Art 37(1) GDPR):
- the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
If a DPO is required, additional obligations are imposed on the organisation, involving the position and the tasks of the DPO. These obligations are set out in Art 38 & 39 GDPR and include the requirement that the DPO:
- is designated on the basis of their expert knowledge of data protection law and practices;
- reports to the highest management level of the data controller; and
- is involved in all issues which relate to the protection of personal data within the organisation.
Under Art 33 GDPR, data controllers are required to implement appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
The following are examples of the security measures expected:
- pseudonymisation and encryption of personal data;
- ensuring ongoing confidentiality, integrity, availability and resilience of processing systems; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Under Art 33 GDPR, where there is a personal data breach, there is an obligation on the data controller to make notifications to the ICO within 72 hours from when it becomes aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Where a breach is likely to result in a higher level of risk to the rights and freedoms of individuals, there is an additional obligation on the data controller under Art 34 GDPR, to notify the affected individuals without undue delay. This requirement to notify affected individuals does not apply if:
- the data controller has implemented security measures to the affected personal data which render the data unintelligible to anyone without proper access (e.g. encryption);
- the data controller takes measures which ensure the high risk posed initially is unlikely to materialise; and
- It would involve disproportionate effort to make such notification(s) and the data controller has used alternative public communications to ensure all affected individuals are informed effectively.
There is an obligation on data processors under Art 33(2) GDPR to notify the data controller for which it processes the affected personal data, without undue delay.
Note: “aware” here is when the data controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.
The data controller is allowed to undertake a short period of investigation in order to establish whether a breach has in fact occurred. During this period of investigation, the data controller will not be regarded as being “aware”. However, it is expected that this initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place. This should be a short investigation; a lengthy one can follow after establishing a breach has occurred.
The PECR prohibits unsolicited electronic communications for direct marketing purposes without prior consent from the individual, unless:
- the consumer has provided their relevant contact details in the course of purchasing a product or service from the person proposing to undertake the marketing;
- the marketing relates to offering a similar product or service; and
- the consumer was given a means to readily opt out of the use of their details for direct marketing purposes, both at the original point where their details were collected and in each subsequent marketing communication.
Individuals always have a right to object to direct marketing at any time.
Cookies are covered by the PECR. The basic rule is that you must:
- tell people the cookies are there;
- explain what the cookies are doing and why;
- get the person’s consent to store a cookie on their device if the cookie is:
- used for the sole purpose of carrying out the transmission of a communication over an electronic communications network;
- strictly necessary for the provision of a service requested by the user.
- ICO: https://ico.org.uk/
Last reviewed 13 June 2019
Laws and regulations
Including but not limited to:
- The Network and Information Systems Regulations 2018 (NISD Regulations)
- The Network Information Systems Directive (NISD)
- Communications Act 2003
- The ePrivacy Directive
- Privacy and Electronic Communications (EC Directive) Regulations 2003
- Data Protection Act 2018 (DPA)
- General Data Protection Regulation (GDPR)
- Computer Misuse Act 1990
- eIDAS Regulation
- Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (UK eIDAS Regulation)
Anticipated changes to law
As the situation over the UK leaving the EU is uncertain and fast-changing, we do not comment on the anticipated changes to law relating to Brexit here, but please speak to your CMS contact in the UK for the most up-to-date guidance.
NISD Regulations / NISD:
The NISD was implemented in the UK on 10 May 2018 by the NISD Regulations.
The NISD Regulations applies to Operator of Essential Services (OES), and Digital Service Providers (DSPs).
- OES are organisations (public or private) within vital sectors that provide services essential to the economy and society which place a heavy reliance on information networks.
- Under the NISD Regulations OES are determined using the following criteria:
- sector (energy, transport, health sector, drinking water supply and distribution and digital infrastructure)
- subsector – specific elements within an individual sector
- essentials service – describing the specific type of service
- identification thresholds – size or impact of incident
- Banking and financial markets infrastructure are omitted
- Thresholds appear to only capture most important organisations
- An organisation that provides a digital service in the UK where the head office for that provider is in the UK or that provider has nominated a representative who is established in the UK and will include:
- search engines
- online market places
- cloud computing service
Requirements will not apply to DSPs who are micro and small enterprises.
Both OESs and DSPs must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems.
These measures taken must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed.
Communications Act 2003 (CA):
The CA provides that Public Electronic Communications Network (PECN) providers and Public Electronic Communications Service (PECS) providers take technical and organisational measures to manage risks to the security of PECNs and PECSs.
Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) / ePrivacy Directive:
The ePrivacy Directive was implemented in the UK on 11 December 2003 by PECR, which has been amended several times, most recently in 2018.
The PECR compels PECS providers to take technical and organisational measures to ensure the security of its services by restricting who can access personal data and protect the way it is stored or transmitted.
Data Protection Act 2018 (DPA):
The DPA imposes broad obligations on data controllers requiring them to take appropriate measures to protect against the unlawful processing, loss, destruction or transfer of personal data.
Data controllers and data processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Computer Misuse Act 1990 (CMA):
The CMA does not impose security obligations on businesses or individuals, but creates various cybercrime offences, criminalising acts such as unauthorised access or interference with a computer.
eIDAS Regulation / UK eIDAS Regulation:
The eIDAS Regulation came into effect on 1 July 2016 and has direct effect in UK law. It is supplemented by the UK eIDAS Regulation.
The eIDAS Regulation provides a framework which allows EU citizens to use electronic identification to access online public services in other EU Member States. It also sets out requirements for trust services, setting out what trust service providers need to do in order to gain qualified status, and allows them to use an EU trust mark.
The ICO is the UK supervisory body for the trust service provisions of the eIDAS Regulation as provided by the UK eIDAS Regulation. It reports on security breaches.
The OESs and DSPs will be regulated by their relevant Competent Authority (CA). In Schedule 1 of the NISD Regulations there is a list of CAs in respect of the OESs, which are sector specific, for example:
- the Secretary of State for Health (supported by NHS Digital) will be the CA for the healthcare sector; and
- Ofcom will be the CA for the telecoms sector.
The Information Commissioner’s Office (ICO) will be the CA in respect of the DSPs and the UK supervisory body for the trust service provisions of the eIDAS Regulation as provided by the UK eIDAS Regulation.
- An OES must notify their designated CA “about any incident which has a significant impact on the continuity of the essential service which that OES provides”. The NISD Regulations provides a number of factors an OES must have regard to in order to determine the significance of the impact of an incident.
- A DSP must notify the ICO “about any incident having a substantial impact on the provision of any of the digital services …that it provides.” The requirement to notify is only if the DSP has access to information which enables it to assess whether the impact of an incident is substantial. The NISD Regulations provides a number of factors the DSP must take into account in order to determine whether the impact of an incident can be determined to be ‘substantial’
- PECN must notify Ofcom of any security breach or reduction in availability which has a significant impact on operation of the PECN.
- After such notification, Ofcom will notify national regulatory authorities in other member states and the European Network Information Security Agency.
- In the case of a data breach, a PECS provider must notify the ICO of the breach within 24 hours of detection, notify the individuals affected in certain cases and maintain a log of personal data breaches.
- Data controllers must notify the ICO without undue delay and, where feasible, within 72 hours after becoming aware of the personal data breach, if the breach risks the rights and freedoms of an individual.
- Data controllers are required to report a personal data breach to the competent Supervisory Authority (SA) without undue delay and, where feasible, not later than 72 hours after becoming aware of it unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.
- Offences include unauthorised access to computer material (with or without intent to commit further offences); unauthorised acts with intent to impact the operation of a computer (viruses, malware, etc.)
eIDAS Regulation / UK eIDAS Regulation
- Trust service providers are also obliged to take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide, in particular measures to prevent and minimise the impact of security incidents.
- Where an electronic identification scheme is breached or partly compromised, there is an obligation on the trust service provider to notify the ICO within 24 hours and users without undue delay, each in certain circumstances. The EU Member State must also suspend or revoke the cross-border authentication or the parts concerned and inform other EU Member States and the European Commission.
NISD Regulations: Maximum financial penalty of £17m for all breaches under the NISD.
Designated CAs will monitor OESs’ compliance through an auditing process to prevent non-compliance
DSPs will not be audited, with enforcement being applied to DSPs after an incident has occurred, or if a DSP is reported to the CA as being non-compliant
CA 2003: Ofcom is responsible for enforcing breaches of CA 2003. They can impose fines of up to £2,000,000 and suspend entitlement to provide network or services.
DPA 2018: see above.
UK eIDAS Regulation: ICO may impose fines of £1,000 for breaches of the eIDAS Regulation and impose enforcement, assessment and/or information notices, failure to comply with which could lead to more substantial fines of up to 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
It will be possible to be fined under both the NISD Regulations and the GDPR for the same incident (so-called ‘double jeopardy’) provided there are distinct bases for doing so (i.e. there is a breach of data protection law, and a separate breach of the Regulations).
What is the role of the National Cyber Security Centre (NCSC)?
The NCSC) (which is part of GCHQ) will not regulate the NISD Regulations - its role is to provide technical support and guidance by the following:
- Single Point of Contact (SPOC) – for engagement with EU partners, coordinating requests and submitting annual incident statistics
- Computer Security Incident Response Team (CSIRT) to provide advice and support where reported incidents are identified / suspected of having a cyber security aspect.
- Technical Authority on Cyber Security – to support OESs and CAs with advice/ guidance and act as a source of technical expertise. For example, it provides:
- a set of 14 NIS Security Principles for securing essential services
- a collection of supporting guidance for each principle
- a Cyber Assessment Framework (CAF) incorporating indicators of good practice
- implementation guidance and support to CAs
Is there a national incident management structure for responding to cybersecurity incidents?
Yes, see above.
Other cybersecurity initiatives
The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time to increase awareness with the aim of reducing the impact of cybersecurity breaches on UK business.
Cyber Essentials is a government scheme aimed at highlighting security controls that will help organisations mitigate the risk to their IT systems from internet-based threats. The scheme focuses on five essential mitigations within the context of the 10 Steps to Cyber Security. It provides organisations with guidance on implementation, as well as offering independent certification for those who need it.
- The National Cyber Security Centre: https://www.ncsc.gov.uk/information/ncsc-support-nis-directive-implementation
- UK’s current Cyber Security Strategy: https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021
- Cyber Essentials Scheme overview: https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
- Cyber Security Breaches Survey 2019: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2019