Last review date: 20 January 2025
Yes.
☒ general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒ requirement to undertake third party due diligence (security assessment of third party providers)
Not a strict legal requirement, but encryption is considered by the UK GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption.
Last review date: 20 January 2025
☒ public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)
☒ network information security requirements (broader than telecommunications)
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
☒ Data privacy
☒ financial services
Last review date: 20 January 2025
Yes.
"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Last review date: 20 January 2025
☒ data protection authorities
- in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
- without undue delay and, where feasible, not later than 72 hours after having become aware of it
☒ affected individuals
- if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons
- "without undue delay" (Art 34(1) UK GDPR and s. 68(1) DPA 2018)
- unless any of the following conditions are met:
- the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
- the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize; or
- •notifying the affected individuals would involve a disproportionate effort, in which case there shall be a public communication or similar measure as set out below
☒ other
There shall be public communication or similar measure whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects) if the communication to the data subject would involve disproportionate effort. On a strict reading of the legislation, it appears that there is no specific timeframe in the relevant legislation for making such public communication or similar measure, although this position would appear not to be in line with the purpose of timely notification to data subjects.
Last review date: 20 January 2025
☒ controller/ owner
- in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
- "without undue delay" after becoming aware of it (Art 33(2) UK GDPR and s. 67(9) DPA 2018)
Last review date: 20 January 2025
Yes.
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
☒ other
Details regarding the identified data security breach notification requirements
PECR require providers of public electronic communications services (e.g., telecoms operators and internet service providers) to notify the ICO of security breaches which lead to the loss or disclosure of personal data and also to notify the relevant individuals if the breach is likely to adversely affect their privacy. This notification obligation applies to all security breaches, and not just serious breaches. As a result of the Commission Regulation (EU) 611/2013 (Notification Regulation), such security breaches must be notified to the ICO within 24 hours of detecting a breach, along with information about the breach (where feasible). In addition, full details of the security breach need to be provided to the ICO within 3 days but where this is not possible a justification for the delay must be provided to the ICO with full details to follow as soon as possible.
The Network and Information Systems Regulations 2018 (NIS Regulations) implement the EU Network and Information Security Directive (NIS Directive) into UK law.
The NIS Regulations impose obligations on Operators of Essential Services (OES) to notify the designated competent authority about any incident which has a significant impact on the continuity of the essential service which that OES provides. This notification must be provided to the competent authority without undue delay and in any event no later than 72 hours after the OES is aware that such an incident has occurred.
In addition, under the NIS Regulations, Relevant Digital Service Providers (RDSP) are required to notify the ICO about any incident having a substantial impact on the provision of any of the digital services the RDSP provides (e.g., online marketplace, online search engine, or cloud computing). The notification to the ICO is required to be made without undue delay and in any event no later than 72 hours after the RDSP is aware that an incident has occurred. This requirement to notify the ICO only applies if the RDSP has access to information which enables it to assess whether the impact of the incident is substantial.
Under the FCA Handbook, regulated financial services firms must notify the Financial Conduct Authority (FCA) of any material cyber incidents. An incident may be material if it:
- results in significant loss of data, or the availability or control of IT systems;
- affects a large number of customers; or
- includes unauthorized access to or a malicious software (malware) infection on the firm's IT systems.
Under Principle 11 of the FCA Handbook regulated firms must deal with the FCA in an open and cooperative way, but there is no specific timeframe in the relevant regulations for making such notification.