UK Cyber Security and Data Privacy Legislation: Your Essential Guide

Are you using, storing and safeguarding data in the right way? For a cyber security strategy to be fit for purpose, legal compliance must be one of your higher priorities. The starting point is of course the law itself; so with this in mind, here’s a summary of the main pieces of legislation that ought to be on your radar right now…

The Data Protection Act (DPA) 1998

What is it?

The framework for data protection in the UK is set out in this Act – making it top of your list of laws to get familiar with.

DPA applies to all organisations who hold information about living individuals; so it covers staff as well as customer data. In essence, DPA sets out the standards you must adhere to when handling data. It’s a doorstopper of an Act, but its requirements are encapsulated in eight data protection principles for appropriate data handling. These state that personal information must be:

  • processed fairly and lawfully
  • processed for specified purposes
  • adequate, relevant and not excessive
  • accurate and kept up to date
  • retained for no longer than necessary
  • processed in line with the individual’s rights
  • securely stored
  • not transferred outside the EEA without adequate safeguards in place

Who does it apply to?

If you hold and process information about your clients, employees or suppliers, you are legally obliged to protect that information.

What does it mean for my business?

  • Secure. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Penalties

Fines of up to £500,000 for serious breaches. There is also the possibility of criminal prosecution.

Useful Links

Data Protection Act 1998
Guide to data protection

The General Data Protection Regulation (GDPR)

What is it?

This is scheduled to come into force on 25 May 2018 (Brexit won’t put a stop to that!). So right now, businesses need to look carefully at their data processing and security to ensure compliance.

GDPR aims to make the digital marketplace safer for consumers across Europe – and makes it easier for them to exercise their rights (e.g. the right to be forgotten). In many areas, it enhances and extends the obligations that exist already in DPA, but there are some important new features, too.

Chief among these is the new reporting requirement. Essentially (and for the first time) all organisations will be required to report cyber security incidents involving loss or compromise of personal data to the regulatory authority (i.e. the ICO in the UK).

Who does it apply to?

Anyone who is collecting, storing and processing the personal data of EU residents i.e. data controllers and data processors.

What does it mean for my business?

  • Data portability, accountability and consent. GDPR enhances the rights of individuals to access their data, to have it transferred and to have it erased. Meanwhile, a newly bolstered principle of accountability requires you to demonstrate that data has been processed in an appropriate manner. It may mean updating your internal procedures to ensure that all of this is possible.
  • Safeguards: are they “state of the art” and “appropriate?”. Compliance isn’t a one-off event. In areas such as threat monitoring, upgrading your security programme and staff training, you are obliged to be proactive with risk management.
  • Visibility. A cyber security compromise won’t automatically lead to a fine – but the circumstances surrounding that breach might. Whether or not your infrastructure undergoes regular security testing and the extent to which you can quickly identify, report and rectify breaches will all determine the outcome of any investigation.

Penalties

​For the most serious breaches, fines of up to the equivalent of 4% of the organisation’s worldwide annual turnover.

Useful Links

Overview of the General Data Protection Regulation (GDPR)
GDPR: 12 steps to take now

Other legislation…

The Freedom of Information Act 2000

This requires public authorities to publish certain information about their activities. It also entitles members of the public to request information from public authorities.

But in certain circumstances, bodies other than “public authorities” might also be covered. For instance, health clinics that carry out some NHS work – or private companies that have responsibility for carrying out duties on the part of local authorities (housing, for instance). The ICO’s guide to the Freedom of Information Act provides further information.

Privacy and Electronic Communications Regulations 2003

Sitting alongside DPA, these Regulations provide specific privacy rights relating to electronic communications. It covers areas such as emails, texts, marketing calls, communications security and traffic and location data.

Key requirements include the following:

  • Direct marketing (solicited and unsolicited). You generally require specific consent to send unsolicited direct marketing. It’s why opt-in and opt-out boxes are a must in email marketing.
  • Telephone marketing. Making unsolicited calls to numbers listed on the Telephone Preference Service (TPS) is prohibited. Heavy restrictions on the use of automated marketing calls are also set out.
  • Marketing lists. Businesses are required to check the origin and accuracy of bought-in lists. Clear records of consent and a ‘do not contact’ list should also be maintained.

Further information

The Information Commissioner’s Office provides guidance on all aspects of data privacy and essential security standards. The ICO also keeps a searchable database of action it has taken against organisations who fall foul of the rules: a handy reminder that the reputational consequences of ignoring the law can be significant!

  • Chuks says:

    Very good stuff, good reference and very handy. Thanks for this

  • Richard says:

    Great article! Concise and informative. I have a question (if you don’t mind). Regarding Monitoring. In areas such as CCTV surveillance and communications monitoring, it is necessary to inform the individuals affected, and (where appropriate) obtain necessary consent.

    How does this apply to photographs and videos in public. If i take a picture and others happen to be in the pic, must I get the consent of the whole crowd? What if I was profiting from a video I recorded of others? Doesn’t the paparazzi do this all the time?

    Thanks Nathan for any feedback. I only ask as I had a youtube channel taken down by youtube for “social experiments” I was conducting. I tried bringing the issue up with youtube but they weren’t interested. I had at the time a couple thousand subscribers.

  • Jolanta says:

    Thank you very much for such a helpful article.

  • Peder says:

    Interesting post/article.

    I finished reading through GDPR and all sub-articles and it takes a while to sink in.

  • >