Data protection and privacy

UK data protection legislation is primarily made up of:

1. Regulation (EU) 2016/679 (the “GDPR”) as incorporated into the domestic law of the UK pursuant to section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”);
2. The Data Protection Act 2018 (the “DPA 2018”),¹ which tailors the application of the UK GDPR within the UK; and
3. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended from time to time) (“PECR”), which implements the requirements of the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EU).

There are other related areas of law, such as the common law duty of confidentiality and the tort of misuse of private information which may also be relevant in the context of processing personal data.

The UK GDPR regulates the processing of personal data in the UK:

• Information is generally considered as being personal if it relates to an identified or identifiable natural person (Article 4(1) UK GDPR) (see the answer to question [4] for further detail).
• The term “processing” is defined broadly and covers any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The UK GDPR applies to:

• Businesses that are established in the UK, and that process personal data (either as a controller or processor, and regardless of whether or not the processing takes place in the UK) in the context of that establishment;
• A business that is not established in the UK, but is subject to the laws of the UK by virtue of public international law; and
• Businesses outside the UK if they (either as controller or processor) process the personal data of individuals in the UK in relation to: (i) offering of goods or services (whether or not in return for payment) to individuals in the UK; or (ii) monitoring the behaviour of individuals in the UK (to the extent that such behaviour takes place in the UK).

PECR sets out specific rules on marketing calls, emails, texts, faxes, and the use of cookies and similar technologies, and includes security and breach notification requirements for providers of public electronic communications services.

Cybersecurity

The legal framework that regulates cybersecurity in the UK is made up of a number of different laws, including but not limited to:

• Data protection legislation – The UK GDPR specifies obligations (including security obligations) that are applicable to organisations before processing personal data.
• The Network and Information Systems Regulations 2018 (SI 2018/506) (“NIS Regulations”) – Sets out cybersecurity obligations applicable to digital service providers, as well as providers of services deemed critical to the UK economy.
• Computer Misuse Act 1990 (“CMA 1990”) – Specifies the criminal offences applicable to misuse of computer equipment.
• PECR – Specifies security obligations of public electronic communications network providers and public electronic communications service providers.
• Communications Act 2003 (“CA 2003”) – Outlines security obligations of public electronic communications network providers and public electronic communications service providers.
• Telecommunications (Security) Act 2021 (“Security Act”) – Outlines security obligations of public electronic communications network providers and public electronic communications service providers.
• The Electronic Communications (Security Measures) Regulations 2022 (“Security Regulations”) – Specifies detailed requirements applicable to public electronic communications network providers and public electronic communications service providers which complement the requirements of the Security Act.
• Product Security and Telecommunications Infrastructure Act 2022 (“PSTI 2022”) – Specifies obligations applicable to manufacturers, importers, and distributors of relevant connectable consumer product-types to protect such products against cyber-attacks.
• Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023/1007 (“PSTI Regulations”) – Specifies relevant product security requirements building on the obligations set out in PSTI 2022.
• Investigatory Powers Act 2016 – Specifies obligations for the interception of communications such as emails and telephone calls.

This is not an exhaustive list, and organisations doing business in the UK should be aware of the impact of the common law and laws imposing indirect obligations relating to cybersecurity (such as the Companies Act 2006).

Finally, the UK is not required to implement Directive (EU) 2022/2555 (known as “NIS 2”) following its departure from the EU. However, the UK government has announced its intention to introduce the “Cyber Security and Resilience Bill” to Parliament in 2025, which is designed to enhance the UK’s existing cybersecurity framework.

Regulatory authorities

• Information Commissioner’s Office (“ICO”) – The ICO oversees compliance with data protection law and the law relating to privacy and electronic communications. The ICO also occasionally issues guidance relating to cybersecurity.
• The Office of Communications (“Ofcom”) – Ofcom is the UK’s communications regulator and has jurisdiction over telecommunications service providers. Ofcom is also responsible for overseeing compliance with the CA 2003 and the Security Act, and the relevant requirements on security (including cybersecurity) of telecommunications service providers.
• The Office for Product Safety and Standards (“OPSS”) – The OPSS is responsible for overseeing compliance with the PSTI 2022 and PSTI Regulations.

Other regulators and government departments issue cybersecurity guidance from time-to-time (such as the National Cyber Security Centre), and businesses operating within the remit of such regulators should be aware of, and familiar with, the latest guidance issued.

Footnote(s):

¹ References to “UK GDPR” used throughout this guide should be read to include “DPA 2018”.

Several draft laws have been proposed to update the UK’s existing data protection, privacy and cybersecurity laws, aligning them with international standards. For example:

• The Data (Use and Access) Bill (expected to enter into force in 2026); and
• The Cyber Security and Resilience Bill (expected to be introduced to Parliament in 2025).

The UK Government has also published legislative proposals for tackling the issue of ransomware in the UK. The UK Government is currently assessing public feedback to the proposals.

Data Protection

Under the Data Protection (Charges and Information) Regulations 2018, any UK entity that processes personal data as a controller (i.e., determines the purposes and means of the processing of personal data, per Article 4(7) UK GDPR) must register with the ICO and pay a fee, unless they are exempt.

There are three tiers for the level of fee payable, ranging from £40 to £2,900. The relevant tier that an entity falls in depends on a number of factors, such as number of staff and annual turnover. A controller is exempt from the requirement to pay fees if it only processes personal data for certain limited purposes, such as for the purposes of staff administration, advertising, marketing and public relations, or keeping accounts and records of transactions.

The maximum fine for failing to pay the annual ICO data protection fee, or failing to pay the correct fee, is £4,350 per entity.

NIS

Organisations that are required to comply with the NIS Regulations (e.g., online search engines, online marketplaces and cloud computing services) with a head office in the UK and that are not a micro or small enterprise, must register with the ICO as a relevant digital service provider. There is no fee for registration, but it is a separate process from registering with the ICO under data protection legislation. Failure to register can result in regulatory enforcement, including fines for non-compliance with the NIS Regulations.

Consumer connectable products

There is no general licensing or registration requirement under PSTI or the PSTI Regulations. However, certain in-scope businesses must ensure compliance with security requirements and maintain technical documentation. For example, manufacturers may be required to issue a statement of compliance (or a summary of a statement of compliance), in accordance with Schedule 4 of the PSTI Regulations.

The UK GDPR uses the terms “personal data” and “special categories of personal data”.

“Personal data” means “any information relating to an identified or identifiable natural person” (Article 4(1) UK GDPR). Taking each of these elements in turn:

• “any information” is a very broad category, including any type of data or information irrespective of whether it is objective or subjective, accurate or inaccurate;
• “relating to” means that the data must relate to or in some way connect with the relevant individual (ICO guidance clarifies that a range of factors need to be considered here, including the content of the information, the purpose(s) of processing and the likely impact of effect of that processing on the individual);
• “identified or identifiable” means that an individual can be identified, directly or indirectly, either: (i) from the relevant data alone; or (ii) in combination with any other available information; and
• “natural person” means an individual.

For the avoidance of doubt, the UK GDPR does not apply to data that are entirely anonymous (i.e., data from which no individuals can be identified, whether directly or indirectly). However, data that has been “pseudonymized” (i.e., all identifying information has been stripped out and replaced with a unique code, but that code can be used to re-identify individuals if needed) continue to be “personal data”, even if such re-identification is extremely unlikely.

“Special categories of personal data” are types of personal data that the UK GDPR identifies as requiring a higher level of protection (Article 9(1) UK GDPR). These include:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for the purpose of uniquely identifying a natural person);
• data concerning health;
• data concerning a natural person’s sex life; and
• data concerning a natural person’s sexual orientation.

Additional rules also apply to the processing of personal data relating to criminal convictions and offences or related security measures (Article 10 UK GDPR).

Other key definitions include the following:

• “Controller” means “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4(7) UK GDPR).
• “Processor” means “a natural or legal person, public authority, agency or other body who processes personal data on behalf of the controller” (Article 4(8) UK GDPR).
• “Processing” means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Article 4(2) UK GDPR).
• “Data subject” means an identified or identifiable natural person to whom personal data relates (Article 4(1) UK GDPR).
• “Personal data breach” means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4(12) UK GDPR).
• “Profiling” means “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” (Article 4(4) UK GDPR).

Under the UK GDPR, the following key principles apply to the processing of personal data:

• Transparency – Personal data must be processed lawfully, fairly and in a transparent manner. Controllers must provide certain minimum information to data subjects regarding the collection and further processing of their personal data. Such information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
• Lawful basis for processing – Processing of personal data is lawful only if, and to the extent that, it is permitted under UK data protection law. The UK GDPR provides an exhaustive list of legal bases on which personal data may be processed, of which the following are the most relevant for businesses:
  • prior, freely given, specific, informed and unambiguous consent of the data subject;
  • contractual necessity (i.e., the processing is necessary for the performance of a contract to which the data subject is a party, or for the purposes of pre-contractual measures taken at the data subject’s request);
  • compliance with legal obligations (i.e., the controller has a legal obligation, under the laws of the UK, to perform the relevant processing); or
  • legitimate interests (i.e., the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
• Please note that businesses require stronger grounds to process special categories of personal data. The processing of special categories of personal data is only permitted under certain conditions, of which the most relevant for businesses are:
  • explicit consent of the affected data subject;
  • the processing is necessary in the context of employment law; or
  • the processing is necessary for the establishment, exercise or defence of legal claims.
• The processing of personal data relating to criminal convictions and offences is only permitted where it takes place under the control of official authority, or is authorised by applicable law in the UK.
• Purpose limitation – Personal data may only be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes. If a controller wishes to use the relevant personal data in a manner that is incompatible with the purposes for which they were initially collected, it must: (i) inform the data subject of such new processing; and (ii) be able to rely on a lawful basis as set out above.
• Data minimisation – Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed. A business should only process the personal data that it actually needs to process in order to achieve its processing purposes.
• Retention – Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Accuracy – Personal data must be accurate and, where necessary, kept up to date. A business must take every reasonable step to ensure that personal data that are inaccurate are either erased or rectified without delay.
• Data security – Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
• Accountability – The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles set out above.

As noted in answer to question [5], consent is one of the legal bases upon which personal data (including special categories of personal data) may be processed.

The UK GDPR defines “consent” as meaning “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement of by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11) UK GDPR).

Taking each of the core aspects in turn, to be valid under the UK GDPR consent must be:

• Freely given – The data subject must have: (i) a genuine choice and control over how their personal data is used, without coercion or detriment for refusing; and (ii) the ability to easily withdraw their consent at any time (although withdrawal will not affect the lawfulness of processing up to that point).
• Specific – Granular consent for each specific purpose and processing activity must be sought (where appropriate and not unduly disruptive or confusing).
• Informed – At a minimum, the data subject must be informed of the identity of the data controller, the purposes of processing, the types of personal data being processed, and of their right to withdraw consent at any time. (Data subjects should also be provided with the information set out in Articles 13 and 14 UK GDPR to the extent applicable.)
• Unambiguous – It must be obvious that the individual has consented, and what they have consented to by means of clear, affirmative action. This means consent cannot generally be implied.

The UK GDPR is clear that consent should not be bundled up as a condition of service unless it is necessary for that service (Article 7(4) and Recital 43 UK GDPR).

Consent to cookies and direct marketing is also required under PECR. Fresh consent may need to be obtained if cookie use changes over time, and individuals who have consented to direct marketing communications need to be provided with the option to ‘opt-out’ or ‘unsubscribe’ in all subsequent communications.

As noted in answer to question [5], when processing special categories of personal data, additional conditions must be satisfied. In particular, the processing of special categories of personal data is only permitted if one of the specific conditions provided for under the UK GDPR DPA 2018 are satisfied, namely:

• the data subject has given explicit consent;
• the processing is necessary in the context of employment law;
• the processing is necessary to protect the vital interests of the data subject (or of another natural person where the data subject is physically or legally incapable of giving consent);
• the processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
• the processing relates to personal data which are manifestly made public by the data subject;
• the processing is necessary for the establishment, exercise or defence of legal claims;
• the processing is necessary for reasons of substantial public interest;
• the processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services (with a basis in law);
• the processing is necessary for reasons of public interest in the area of public health (with a basis in law); or
• the processing is necessary for archiving, research or statistical purposes (with a basis in law).

The processing of personal data relating to criminal convictions and offences is only permitted where it takes place under the control of an official authority, or is authorised by applicable law in the UK.

Article 2 UK GDPR establishes certain processing activities that are not in-scope of the UK GDPR. Most notably, Article 2(2)(c) UK GDPR establishes that the processing of personal data by a natural person in the course of a purely personal or household activity is outside the scope of the UK GDPR.

Besides Article 2 UK GDPR, there are limited exemptions to certain rights and obligations under the UK GDPR. For example:

• Data subjects seeking to exercise their right to access, rectification, restriction, erasure, and/or not to be subject to automated decision-making may have their requests refused if such requests are “manifestly unfounded” or “manifestly excessive”; although a restrictive approach is adopted when interpreting these terms.
• Schedules 2-4 of the DPA 2018 outline specific and limited circumstances in which certain, specified provisions of the UK GDPR may be disapplied. For example, where personal data is processed: (i) for the prevention or detection of crime; (ii) the apprehension or prosecution of offenders; or (iii) the assessment or collection of a tax, duty, or imposition of a similar nature, Articles 13(1)-(3) and 14(1)-(4) (among others) may be disapplied.

As noted above, the exemptions are limited in nature and are not generally available to commercial organisations which conduct usual data processing activities in the UK.

Data Protection Impact Assessments (“DPIAs”) are required where a type of processing (in particular using new technologies) is “likely to result in a high risk” to the rights and freedoms of data subjects (Article 35(1) UK GDPR).

In particular, controllers are required to complete DPIAs in the case of (Article 35(3) UK GDPR):

• a systematic and extensive evaluation of personal data based on automated processing (including profiling) involving decisions that produce legal effects;
• processing special category or criminal offence data on a large scale; or
• systematic monitoring of a publicly accessible area on a large scale.

The ICO has specified that the following is likely to result in a “high risk” (and therefore require a DPIA before processing begins):

• Innovative technology – Processing that involves the use of innovative techniques, or the novel application of existing technologies (including AI).
• Denial of service – Decisions about an individual’s access to a product, service, opportunity or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.
• Large-scale profiling – Any profiling of individuals on a large scale.
• Biometrics – Any processing of biometric data.
• Genetic data – Any processing of genetic data (other than that processed by an individual GP or health professional for the provision of health care direct to the data subject).
• Data matching – Combining, comparing or matching personal data obtained from multiple sources.
• Invisible processing – Processing of personal data that has not been obtained directly from the data subject in circumstances where the controller considers that compliance with Article 14 UK GDPR would prove impossible or involve disproportionate effort.
• Tracking – Processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment.
• Targeting of children or other vulnerable individuals – The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.
• Risk of physical harm – Where the processing is of such a nature that a personal data breach could jeopardise the (physical) health or safety of individuals.

If required, a DPIA must be carried out prior to the processing (Article 35(1) UK GDPR) and should contain at least the following (Article 35(7) UK GDPR):

• a systematic description of the envisaged processing activities (including the purposes of processing and, where applicable, the legitimate interests pursued);
• an assessment of the necessity and proportionality of processing in relation to the purposes;
• an assessment of the risks to the rights and freedoms of individuals; and
• the measures envisaged to address the risks.

In addition, the ICO has stated that: (i) transfer risk assessments must be conducted when personal data is being transferred from the UK to a non-adequate jurisdiction pursuant to an Article 46 UK GDPR safeguard; and (ii) legitimate interest assessments should be conducted when relying on legitimate interest as a legal basis for processing.

Children’s Data – The Age-Appropriate Design Code (“AADC”)

In September 2021, the ICO’s AADC took effect. The purpose of the AADC is to help ensure that service providers put the best interests of children first when designing any “information society service” (“ISS”).

The AADC sets out 15 standards which businesses in the UK must comply with where they provide ISSs to children. These include standards on, among other things: (i) DPIAs; (ii) transparency; (iii) detrimental use of data; (iv) policies and community standards; (v) default settings; (vi) data sharing; (vii) parental controls; and (viii) connected toys and devices.

The AADC explains that businesses failing to comply with the AADC are likely to find it more difficult to demonstrate processing is fair and complies with the GDPR and PECR, and would therefore be more likely to face sanctions.

Health Data

The DPA 2018 defines “data concerning health” as “personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about his or her health status”.

On 31 August 2023, the ICO published guidance on processing employee health data (the “Employee Health Data Guidance”). The Employee Health Data Guidance is aimed at employers. It is designed to help employers understand their data protection obligations under the UK GDPR, and provides further information on appropriate legal bases for processing (including by way of retention) employee health data. The guidance also recommends that employers conduct DPIAs in relation to the processing of employee health data.

Records of processing activities (“ROPAs”) should be maintained by businesses that process personal data subject to the UK GDPR, and should cover all applicable processing activities (i.e., not just processing of employee data).

Organisations which have fewer than 250 employees, are not required to maintain ROPAs unless such an organisation conducts processing that:

• is likely to result in a risk to the rights and freedoms of data subjects;
• is not occasional; or
• includes special category data or personal data relating to criminal convictions or offences.

Article 30 UK GDPR states that ROPAs must contain:

• the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
• the purposes of processing;
• a description of the of the categories of data subjects and of the categories of personal data;
• the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
• where applicable, details of transfers of personal data to a third country or an international organisation;
• where possible, the envisaged time limits for erasure of the different categories of data; and
• where possible, a general description of the technical and organisational security measures.

The ICO is entitled to demand a copy of ROPAs, and failure to produce up-to-date ROPAs to the ICO on request is an infringement of the UK GDPR.

In addition, it is advisable (and usual) for businesses to maintain a range of other data protection policies tailored to their activities, such as a data protection policy, a data retention and disposal policy, a data breach policy, and training materials.

While the UK GDPR does not explicitly require data retention and/or data disposal policies and procedures, it is nevertheless advisable to implement and maintain such policies and procedures in order to demonstrate compliance with the UK GDPR.

For example, such policies and procedures will help businesses demonstrate compliance with certain key principles of the UK GDPR, namely:

• Data minimisation – Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed. A business should only process the personal data that it actually needs to process in order to achieve its processing purposes.
• Data retention – Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. It is therefore advisable for businesses to establish data retention and data disposal policies and procedures.

As noted in answer to question [9], controllers may be required to conduct DPIAs. Controllers are required to consult with the ICO where a DPIA indicates that the processing would result in a “high risk” to the rights and freedoms of data subjects and the controller cannot mitigate or reduce the risk (Article 36(1) GDPR).

This involves:

• The controller sending to the ICO a copy of the DPIA, a description of the respective roles and responsibilities of any joint controllers or processors, the purposes and methods of the intended processing, the measures and safeguards to protect individuals, and contact details of the Data Protection Officer (if appointed);
• The ICO acknowledging receipt, checking that it has the necessary information, and then informing as to whether it accepts the DPIA for prior consultation within 10 days (with an explanation as to its reasoning); and
• If the ICO provides advice under the prior consultation process, it will respond within 8 weeks of receipt of the DPIA (extendable to 14 weeks for complex cases).

As a result of consultation, the ICO could: (i) come to the view that risks have been sufficiently identified and mitigated, and that the controller may proceed with processing; (ii) provide advice on how risks can be further mitigated before the controller is allowed to proceed with processing; (iii) issue an official warning, explaining the reasons for its concern(s) and the recommended steps to avoid any contravention of the UK GDPR; or (iv) impose a limitation or ban on the intended processing.

Controllers and processors can voluntarily appoint a Data Protection Officer (“DPO”), but a DPO must be appointed in certain circumstances (Article 37(1) UK GDPR). Namely, a DPO must be appointed if:

• the processing is being carried out by a public authority or body (except for courts acting in their judicial capacity);
• the core activities of the controller or processor consist of processing activities requiring regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or processor consist of the large-scale processing of special category data or criminal offence data.

A DPO should be involved in all issues that relate to the protection of personal data. The UK GDPR outlines the minimum tasks required by the DPO, which include: (i) informing the controller/processor, including their relevant employees, who processes personal data, of their obligations under the UK GDPR; (ii) monitoring compliance with the UK GDPR, other national data protection legislation and internal policies in relation to the processing of personal data, including internal audits; (iii) advising on DPIAs and the training of staff; and (iv) co-operating with the ICO and acting as the primary contact point for the purposes of the ICO on issues related to the processing of personal data by the relevant entity (Article 39(1) UK GDPR).

A group of undertakings may appoint a single DPO, provided that DPO is easily accessible from each establishment.

Additionally, where an organisation is not established in the UK, but processes personal data in the context of either offering goods or services to individuals in the UK or monitoring the behavior of individuals in the UK, it must appoint a representative in the UK (Article 27 UK GDPR). The representative is responsible for receiving complaints and interacting with the ICO.

The UK GDPR does not explicitly require employee training on data protection.

It is generally recommended that organisations processing personal data provide training to their personnel in respect of such processing. This is because training for personnel may: (i) help demonstrate compliance with the accountability principle (described in answer to question [5]); and (ii) form part of the “appropriate and technical organisational measures” that controllers must implement under Article 24 UK GDPR.

In addition, and as noted in answer to question [14], one of the DPOs responsibilities is to monitor compliance with applicable data protection laws, “including the… training of staff involved in processing operations” (Article 39(1) UK GDPR).

Data subjects have the right to be informed about the collection and use of their personal data under Articles 13 and 14 UK GDPR.

At the time when personal data are obtained from the data subject, the controller must provide the data subject with (Article 13 UK GDPR):

• the identity and the contact details of the controller and, where applicable, of the controller’s representative;
• the contact details of the DPO, where applicable;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• where processing is based on legitimate interest, the legitimate interests pursued by the controller or by a third party;
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision, or of the safeguards in place to protect such transfers where there is no adequacy decision being relied upon to allow the transfer, and how to obtain copies of the same;
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• the rights available to the data subject (i.e., (i) the right of access; (ii) the right to rectification; (iii) the right to erasure; (iv) the right to restriction; (v) the right to object; (vi) the right to data portability; (vii) the right to withdraw consent (to the extent consent is relied upon); and (viii) the right to complain to a supervisory authority); and
• the existence of automated decision-making, including profiling.

Where personal data has not been obtained from the data subject, the controller is required to provide the data subject with the above-mentioned information: (i) within a reasonable period after obtaining the personal data, but at the latest within one month; (ii) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or (iii) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed (Article 14 UK GDPR).

Such information is typically provided by way of an external privacy notice (e.g., on a website) and an internal privacy notice, made available to employees (e.g., on an intranet). Such information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

As noted in answer to question [4], the UK GDPR distinguishes between controllers and processors as follows:

• “Controller” means “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4(7) UK GDPR).
• “Processor” means “a natural or legal person, public authority, agency or other body who processes personal data on behalf of the controller” (Article 4(8) UK GDPR).

In line with this distinction, controllers have a higher level of responsibility under the UK GDPR. For example, controllers have obligations to maintain ROPAs (Article 30 UK GDPR), conduct DPIAs where necessary (Article 35 UK GDPR), and notify the ICO in the case of a personal data breach (Article 33 UK GDPR).

In contrast, processors have more limited obligations under the UK GDPR. For example, processors are obliged to conduct processing in accordance with Article 28(3) UK GDPR (which regulates data processing agreements), maintain a record of all categories of processing activities carried out on behalf of the controller (Article 30(2) UK GDPR), and notify the controller without undue delay after becoming aware of a personal data breach (Article 33(2) UK GDPR).

Automated decision-making

“Automated decision-making” is the making of a decision about an individual based solely on automated processing, including profiling, without any human involvement. Such decision-making is regulated by Article 22 UK GDPR.

The UK GDPR further defines “profiling” as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” (Article 4(4) UK GDPR).

Automated decision-making is permissible under the UK GDPR, provided there is a valid legal basis (Article 6 UK GDPR) for processing personal data in this context and the processing is sufficiently transparent (Articles 13 and 14 UK GDPR).

Notably, data subjects have the right not to be subject to automated decision-making when it is solely based on automated processing, including profiling, which produces legal effects or similarly significant effects them (Article 22 UK GDPR). Such processing is only permissible if: (i) the decision is: (a) necessary for entering into, or performance of, a contract with the relevant data subject; (b) authorised by applicable law; or (c) based on the data subject’s explicit consent; and (ii) the controller implements suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, express their point of view and contest the decision (Articles 22(2) and (3) UK GDPR).

The use of special category personal data in automated decision-making (including profiling) is subject to further restrictions. Such data may only be processed in the context of automated decision-making where: (i) there are suitable measures to safeguard the data subject’s rights; and (ii) the legal basis is explicit consent or necessity for reasons of substantial public interest on the basis of applicable law (Article 22(4) UK GDPR).

Employee monitoring

The ICO explains that employee monitoring means “any form of monitoring of people who carry out work on your behalf”. This can include monitoring workers on particular work premises or elsewhere, and is not limited to working hours. The types of monitoring technologies used may include CCTV, technologies for monitoring timekeeping or access control, or the tracking of internet activity and keystrokes.

Employee monitoring must comply with applicable data protection laws. This means:

• a valid legal basis should be relied upon (Article 6 UK GDPR) when processing personal data in this context;
• the employee monitoring activities must be communicated to employees (Articles 13, 14 and 21(4) UK GDPR);
• a DPIA should be conducted in relation to such monitoring (and must be conducted if it is likely to cause a high risk to data subjects’ interests); and
• the views of employees (or their representatives) should be sought when considering the use of monitoring technologies.

Cookies

“Cookies” are not defined in PECR, but the ICO has clarified that a “cookie” is “a small text file that is downloaded onto ‘terminal equipment’ (eg a computer or smartphone) when the user accesses a website [which] allows the website to recognise that user’s device and store some information about the user’s preferences or past actions”.

The storage of cookies (or other data) on an end-user’s device requires prior consent form that end user (the applicable standard of consent is derived from the UK GDPR). For consent to be valid, it must be informed, specific, freely given and must constitute a real and unambiguous indication of the individual’s wishes (i.e., some form of clear affirmative action). This requirement for consent does not apply if the cookie or similar technology: (i) is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (ii) is strictly necessary to provide an ISS (e.g., a service over the internet) requested by the subscriber or user, which means that it must be essential to fulfil their request. The ICO stated in the AADC that cookies placed for the sole purpose of age verification are considered to be “essential”, and therefore do not require consent.

The UK GDPR does not explicitly define “targeted advertising” or “behavioral advertising”.

Processing personal data for the purposes of such advertising must be compliant with applicable requirements of, amongst others, the UK GDPR and DPA 2018. For example, an organisation engaged in such processing must have a valid legal basis, comply with the transparency requirements, and comply with the relevant requirements of PECR (as outlined in answer to question [18] in the context of cookies).

The UK GDPR does not explicitly define the term “sale” or establish any specific restrictions. However, the “sale” of personal data would constitute “processing” under the UK GDPR. As such, the sale of personal data should be caried out in accordance with the requirements of the UK GDPR, DPA 2018, and any other relevant laws and terms (e.g., consumer protection laws and contractual terms with the relevant individuals). Requirements would include, having a valid legal basis for the processing (Article 6 GDPR) of personal data in this context and processing in a sufficiently transparent manner (Articles 13 and 14 UK GDPR).

“Direct marketing” is generally understood as promoting services or goods to individuals.

PECR requires businesses to obtain consent before sending electronic communications to individuals for the purpose of direct marketing. There are some narrow exemptions to this requirement. Also, data subjects have the right to object to the processing of personal data for the purpose of direct marketing, including profiling.

PECR does not specifically restrict marketing in a business-to-business context, although it is generally considered good practice for businesses to offer an opt-out of electronic direct marketing, such as emails or text messages, to other corporate bodies (e.g., in the footer of any marketing email sent on a B2B basis).

PECR does not generally prohibit unsolicited marketing calls; however, the UK has established an opt-out register (the Telephone Preference Services (the “TPS”)). It is a legal requirement not to make unsolicited marketing calls to numbers registered in the TPS without the consent of the relevant individual subscriber.

The maximum fine for sending direct marketing communications in breach of applicable law is £500,000, although typical fines are generally below this level. The ICO does tend to be pro-active in taking enforcement action against entities which violate the legal requirements relevant to direct marketing.

“Biometric data” means “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data” (Article 4(14) UK GDPR).

Biometric data is a form of special category personal data if it is processed “for the purpose of uniquely identifying a natural person” (Article 9(1) UK GDPR). Accordingly, the processing of biometric data may be subject to further restrictions (as set out in answer to question [5]). For example, in addition to having a valid legal basis for processing such data (in accordance with Article 6(1) UK GDPR), and organisation must also satisfy one of the conditions for processing under Article 9(2) UK GDPR.

Large-scale use of biometric data is likely to trigger the need for a DPIA, on the basis that the processing is likely to result in a high risk to the rights and freedoms of natural persons (Article 35 UK GDPR).

At present, the UK does not have a specific AI regulation. Instead, the UK encourages existing sector-specific regulators to interpret and apply a “principles-based framework” to the development and use of AI. The cross-sectoral principles for existing regulators to interpret and apply are as follows:

• Regulators should ensure that AI systems function in a robust, secure, and safe way throughout the AI life cycle, and that risks are continually identified, assessed and managed.
• Regulators should ensure that AI systems are appropriately transparent and explainable.
• Regulators should ensure that AI systems are fair (i.e., they do not undermine the legal rights of individuals or organizations, discriminate unfairly against individuals, or create unfair market outcomes).
• Regulators should ensure there are governance measures in place to allow for effective oversight of the supply and use of AI systems, with clear lines of accountability across the AI life cycle.
• Regulators should ensure that users, impacted third parties and actors in the AI life cycle are able to contest an AI decision or outcome that is harmful or creates a material risk of harm, and access suitable redress.

Some sector-specific regulators have also outlined their strategic approach to AI. For example, the ICO’s strategic approach establishes specific areas of focus in relation to AI and data protection, which include foundation models, high-risk AI applications (e.g., emotion recognition technology), facial recognition technology, and biometrics.

The UK may enact a set of binding measures applicable to AI in the future. The UK Government has announced its intention to establish “appropriate legislation to place requirements on those working to develop the most powerful [AI] models“. The Digital Information and Smart Data Bill was also announced, which will be accompanied by reforms to data-related laws, to support the safe development and deployment of new technologies (which may include AI). It is not yet clear exactly how this will be implemented.

Transfers of personal data to recipients outside of the UK can only take place if: (i) the transfer is to an “Adequate Jurisdiction” (as specified in the DPA 2018 or as further specified by the ICO); (ii) the transferor has implemented one of the required safeguards as specified by the UK GDPR; or (iii) one of the derogations specified in the UK GDPR applies to the relevant transfer.

Although the UK has left the EU, the European Data Protection Board Guidelines (2/2018) which concern data transfers are likely to remain relevant., These guidelines set out that a “layered approach” should be taken with respect to transfer mechanisms used to transfer data out of jurisdiction. If the transfer is not to an Adequate Jurisdiction, the transferor should first explore the possibility of implementing one of the safeguards provided for in the UK GDPR before relying on a derogation.

Adequacy

The UK has issued adequacy regulations in respect of: each of the EEA countries and their institutions; the jurisdictions that were considered “adequate” for the purposes of the (EU) GDPR by the European Commission as of 31 December 2020; Gibraltar; South Korea; Canada (partially); Japan (partially); and the United States (partially).

Contractual Mechanisms

Alternatively, common ways to ensure compliant international data transfers are the use of Standard Contractual Clauses or Binding Corporate Rules (“BCRs”).

UK International Data Transfer Agreement and the UK Addendum

In June 2021, the European Commission published a revised set of SCCs (the “New SCCs”). These revised SCCs replaced the 2001 and 2004 controller-to-controller versions, and the 2010 controller-to-processor version, previously maintained by the European Commission and used by data exporters to protect international transfers of personal data. However, due to Brexit, the New SCCs are not valid for restricted transfers of personal data under the UK GDPR. On 21 March 2022, the ICO introduced equivalent revised mechanisms: (i) a new UK International Data Transfer Agreement (the “IDTA”); and (ii) a UK-specific Addendum to the New SCCs, which modifies the New SCCs so that they can be used for the purposes of transfers of personal data out of the UK (the “Addendum”).

The IDTA is the UK’s equivalent to the New SCCs and is designed to facilitate restricted transfers of personal data under the UK GDPR between controllers, processors, sub-processors and third parties (as appropriate). The Addendum revises certain provisions of the New SCCs, when they are used in the context of transfers of personal data out of the UK.

International data transfers may also take place on the basis of contracts agreed between the data exporter and data importer provided that they conform to the protections outlined in the UK GDPR, and they have prior approval by the ICO.

BCRs

International data transfers within a group of businesses can be safeguarded by the implementation of BCRs. BCRs require ICO approval. Most importantly, BCRs will need to include a mechanism to ensure they are legally binding and enforced by every member in the group of businesses. Among other things, the BCRs must set out the group structure of the businesses, the proposed data transfers and their purpose, the rights of data subjects, the mechanisms that will be implemented to ensure compliance with the UK GDPR and the relevant complainant procedures.

UK Extension to the EU-US Data Privacy Framework

In October 2023, the UK brought into force its extension to the EU–US Data Privacy Framework (the “UK Extension”), to allow organisations in the UK to transfer personal data to US entities that are certified under the UK Extension, without the need for any other safeguards provided for under Chapter V of the UK GDPR.

Transfer Risk Assessments

The ICO requires entities to implement a transfer risk assessment prior to transferring personal data to a jurisdiction that is not the subject of an adequacy regulation in the UK.

As part of such an assessment, the data exporter must analyse whether the protection afforded to the transferred personal data by the laws of the relevant third country needs to be supplemented by additional measures to ensure a level protection that is at least equivalent to that within the UK. The ICO has published a template transfer risk assessment tool that organisations may use for this purpose.

Prior Regulatory Approval

International transfers of personal data will require prior approval from the ICO unless a UK GDPR-compliant mechanism has been implemented. Some of those transfer mechanisms (e.g., BCRs) require approval from the ICO in any event, as noted above.

Personal data must be processed in a way which ensures security and safeguards against unauthorised or unlawful processing, accidental loss, destruction and damage of the data.

Both controllers and processors must ensure they have appropriate technical and organisational measures to meet the requirements of the UK GDPR. Depending on the security risk, this may include the encryption of personal data, the ability to ensure the ongoing confidentiality, integrity and resilience of processing systems, an ability to restore access to data following a technical or physical incident, and a process for regularly testing and evaluating the technical and organisational measures for ensuring the security of processing.

“Personal data breach” means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4(12) UK GDPR).

ICO

The controller is responsible for reporting a personal data breach without undue delay (and in any case within 72 hours of first becoming aware of the breach) to the ICO, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject(s). A processor must notify any data breach to the controller without undue delay.

The notification must include the nature of the personal data breach, including the categories and number of data subjects concerned, the name and contact details of the DPO or relevant point of contact, the likely consequences of the breach and the measures taken to address the breach, including attempts to mitigate possible adverse effects.

Data subject

Controllers are required to communicate personal data breaches to affected data subjects, without undue delay, if the breach is likely to result in a high risk to the rights and freedoms of the data subject.

The notification must include the name and contact details of the DPO (or point of contact), the likely consequences of the breach and any measures taken to remedy or mitigate the breach.

The controller may be exempt from notifying the data subject if the risk of harm is remote (e.g., because the affected data is encrypted), the controller has taken measures to minimise the risk of harm (e.g., suspending affected accounts) or the notification requires a disproportionate effort (e.g., a public notice of the breach).

Key rights include the following:

• Right of access to (copies of) data/information about processing – A data subject has the right to obtain from a controller the following information in respect of the data subject’s personal data: (i) confirmation of whether, and where, the controller is processing the data subject’s personal data; (ii) information about the purposes of the processing; (iii) information about the categories of data being processed; (iv) information about the recipients or categories of recipients with whom the data may be shared; (v) information about the period for which the data will be stored (or the criteria used to determine that period); (vi) information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing; (vii) information about the existence of the right to complain to the relevant data protection authority; (viii) where the data were not collected from the data subject, information as to the source of the data; and (ix) information about the existence of, and an explanation of the logic involved in, any automated processing that has a legal or other significant effect on the data subject.
• Additionally, the data subject may request a copy of the personal data being processed, to the extent that the personal data requested does not adversely affect the rights and freedoms of others.
• Right to rectification of errors – Controllers must ensure that inaccurate or incomplete data are erased or rectified.
• Data subjects have the right to rectification of inaccurate personal data.
• Right to deletion / right to be forgotten – Data subjects have the right to erasure of their personal data (the right to be forgotten) if: (i) the data are no longer needed for their original purpose (and no new lawful purpose exists); (ii) the lawful basis for the processing is the data subject’s consent, the data subject withdraws that consent, and no other lawful ground exists; (iii) the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing; (iv) the data have been processed unlawfully; or (v) erasure is necessary for compliance with UK law.
• Right to object to processing – Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest or legitimate interest of the controller.
• The controller must cease processing when it receives a valid objection request unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or it requires the data in order to establish, exercise or defend legal rights.
• Right to restrict processing – Data subjects have the right to restrict the processing of personal data, which means that the data may only be held by the controller, and may only be used for limited purposes if: (i) the accuracy of the data is contested (and only for as long as it takes to verify that accuracy); (ii) the processing is unlawful and the data subject requests restriction (as opposed to exercising the right to erasure); (iii) the controller no longer needs the data for their original purpose, but the data are still required by the controller to establish, exercise or defend legal rights; or (iv) verification of overriding grounds is pending, in the context of an erasure request.
• Right to data portability – Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and to transfer their personal data from one controller to another or have the data transmitted directly between controllers.
• Right to withdraw consent – A data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
• Prior to giving consent, the data subject must be informed of the right to withdraw consent. It must be as easy to withdraw consent as it is to give it.
• Right to object to marketing – Data subjects have the right to object to the processing of personal data for the purpose of direct marketing, including profiling.
• Right protecting against solely automated decision-making and profiling – Data subjects have the right to not be subject to a decision based solely on automated processing (including profiling) that produces legal effects (or similarly significant effects).
• This restriction does not apply if the decision: (i) is necessary for entering into, or performance of, a contract between the data subject and the controller; (ii) is authorised by UK law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (iii) is based on the data subject’s explicit consent.
• In the case of (i)–(iii), the controller is required to implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, so that the data subject is able to express their point of view and to contest decisions reached.
• Right to complain to the relevant data protection authority(ies) – Data subjects have the right to lodge complaints concerning the processing of their personal data with the ICO, if the data subject lives in the UK or the alleged infringement occurred in the UK.
• Right to basic information – Data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure fair and transparent processing of personal data.
• Right to compensation – Data subjects who have suffered (material or non-material) damage as a result of the unlawful processing of their personal data have the right to receive compensation from the relevant controller and/or processor for the harm suffered.

Any person who has suffered material or non-material damage as a result of an infringement of the UK GDPR has the right to receive compensation from the controller or processor for the damage suffered (Article 82 UK GDPR). The ICO notes that “non-material damage” includes distress.

Every data subject also has the right to lodge a complaint with the ICO (Article 77 UK GDPR), although the ICO cannot itself award compensation.

As noted in answer to question [28], any person has the right to receive compensation from the controller or processor or damage suffered, whether material (e.g., monetary) or non-material (e.g., distress). However, the UK courts have indicated that not every contravention of applicable data protection laws will confer a right to compensation; there must be damage suffered (see, for example, Lloyd v Google LLC [2021] UKSC 50).

The ICO is responsible for enforcement of the UK GDPR and PECR in the UK. The ICO’s enforcement powers include:

• Investigative powers – The ICO has wide powers to order the controller and the processor to provide any information it requires for the performance of its tasks, to conduct investigations in the form of data protection audits, to carry out      reviews on certificates issued pursuant to the UK GDPR, to notify the controller or processor of alleged infringements of the UK GDPR, to access all personal data and all information necessary for the performance of controllers’ or processors’ tasks and to access the premises of the data, including any data processing equipment.
• Corrective powers – The ICO has a wide range of powers, including the ability to issue warnings or reprimands for non-compliance, to order the controller to disclose a personal data breach to the data subject, to impose a permanent or temporary ban on processing, to withdraw a certification and to impose an administrative fine (as below).
• Authorisation and advisory powers – The ICO has a wide range of powers to advise the controller, accredit certification bodies and to authorise certificates, contractual clauses, administrative arrangements and BCRs as outlined in the UK GDPR.
• Administrative fines – The UK GDPR provides for administrative fines of up to the greater of £17.5 million or 4% of the business’s worldwide annual turnover during the preceding financial year.
• Non-cooperation with a data protection authority – The UK GDPR provides for administrative fines of up to the greater of £17.5 million or 4% of the business’s worldwide annual turnover during the preceding financial year.

The ICO’s enforcement powers are set out in answer to question [30].

In relation to administrative fines, there is a two-tier system reflecting the severity of the breach (Articles 83(4) and (5) UK GDPR):

• Higher-tier fines – For breaches which are considered more severe, the ICO may impose administrative fines of up to £17.5 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Such breaches may include, for example, a failure to comply with data protection principles, data subject rights, or applicable rules regarding international data transfers.
• Lower-tier fines – For breaches which are considered less severe, the ICO may impose administrative fines of up to £8.7 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Such breaches may include, for example, a failure to maintain proper records, such as ROPAs and DPIAs.

Notably, if a controller or processor infringes several provisions of the UK GDPR in relation to the same or linked processing operations, the total administrative fine shall not exceed the amount specified for the gravest infringement (Article 83(3) UK GDPR).

Administrative fines may be imposed in addition to, or instead of, other corrective measures. When deciding whether to impose an administrative fine, and on the amount of any such fine, the ICO must have regard to certain mandatory factors as set out in Article 83 UK GDPR. These include, for example, the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them.

The ICO has also published the “Data Protection Fining Guidance” (2024), which explains that administrative fines will be calculated by applying the following five-step approach:

• Step 1: The ICO will assess the seriousness of the infringement.
• Step 2: The ICO will account for turnover, where the controller or processor is part of an undertaking.
• Step 3: The ICO will calculate the starting point, having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking.
• Step 4: The ICO will make adjustments taking into account any aggravating or mitigating factors.
• Step 5: The ICO will assess whether the fine is effective, proportionate and dissuasive.

ICO decisions can be appealed against to the First-tier Tribunal within 28 days after the ICO sends its decision by completing the relevant “General Regulatory Chamber (First-tier Tribunal)” form.

The ICO’s enforcement action over the last 12 months has generally focused on breaches of applicable direct marketing law (i.e., PECR).

The protection of the personal data of children also continues to be a focus of the ICO. As noted above, compliance with the AADC has been required since September 2021. According to the AADC, its purpose is to address how online services should design data protection safeguards to ensure that they are appropriate for use by, and meet the development needs of, children. The AADC goes on to state that businesses that fail to comply with the AADC would likely find it more difficult to demonstrate that their processing is fair and complies with the GDPR and PECR, and would therefore be more likely to face sanctions. On 3 March 2025, the ICO announced that, “as part of [the ICO’s] wider interventions into how social media and video sharing platforms use children’s data”, it was investigating how certain social media and video sharing platforms use the personal information of 13-17 year olds’ to make recommendations, and how others assess the age of their child UK users.

Finally, and as noted in answer to question [23], the ICO has identified AI (and its application in biometric technologies) as one of its three focus areas for 2024-2025, along with children’s privacy and online tracking.

The cybersecurity framework in the UK requires the implementation of a broad range of risk management measures. The obligation to implement measures can be explicit (i.e., mandated by cybersecurity legislation) or implicit (i.e., required to ensure best-practice).

The specific measures that need to be implemented by organisations are dependent on a number of factors, including, for example, whether the organisation falls within the scope of either the NIS Regulations or the CA 2003 (as amended by the Security Act), but must generally be appropriate and proportionate to manage risks posed.

NIS Regulations

For in-scope organisations, the key obligations imposed by the NIS Regulations include:

• the requirement for an organisation to notify the fact that it is in-scope for the NIS Regulations to the relevant regulator;
• the requirement to implement appropriate and proportionate measures to manage risks posed to network and information systems and to prevent, and minimise the impact of, incidents affecting the security of the network and information systems; and
• the requirement to notify the relevant authority of the occurrence of incidents (including security breaches) which have an impact on the delivery of its services.

Organisations subject to these obligations have freedom to determine what measures are appropriate and proportionate. In order to satisfy this obligation, an organisation must understand the risks posed to its network and information systems. Additionally, operators of essential services must take account of the guidance issued by the National Cyber Security Centre.

CA 2003 and the Security Act

CA 2003

The CA 2003 requires providers of public electronic communications networks (“PECN”) and public electronic communication services (“PECS”) to:

• take technical and organisational measures appropriate to manage risks to the security of public electronic communications networks and public electronic communications services; and
• adopt measures that must, in particular, prevent or minimise the impact of security incidents on end-users.

PECNs are additionally required to:

• adopt measures to prevent or minimise the impact of security incidents on the interconnection of public electronic communications networks; and
• take all appropriate steps to protect, so far as possible, the availability of the PECNs’ network.

The CA 2003 affords PECN and PECS providers a degree of freedom to determine the security measures adopted. However, PECN and PECS providers should have regard to the Security Act, Security Regulations, the Code of Practice, and guidance issued by Ofcom (as discussed in more detail below), which provides further specific details on how compliance with the requisite obligations may be achieved.

Security Act Requirements

The Security Act came into force on 1 October 2022. The Security Act amends the CA 2003 by, among other things, introducing strengthened security duties for PECN and PECS providers.

The Security Act requires PECN and PECS providers to implement minimum security requirements. Specifically, the Security Act requires that PECN and PECS providers implement measures as are appropriate and proportionate for the purposes of:

• identifying the risks of security compromises occurring;
• reducing the risks of security compromises occurring; and
• preparing for the occurrence of security compromises.

In addition, on the occurrence of a security compromise, the Security Act requires that PECN and PECS providers take measures as are appropriate and proportionate in: (i) preventing adverse effects arising from the security compromise; and (ii) remedying or mitigating the adverse effects that have been caused by a security compromise.

Other obligations imposed on PECN and PECS providers include:

• a duty to inform users where there is a significant risk of a security compromise occurring;
• a duty to inform Ofcom of any security compromise that has a significant effect on the operation of the network or service and/or any security compromise that puts a person in a position to bring about further security compromises that would have a significant effect on the operation of the network or service; and
• a duty to comply with a designated vendor direction given by the Secretary of State.

Security Regulations Requirements

The Security Act is supplemented by the Security Regulations. The Security Regulations were introduced to further the power of the Secretary of State to make such regulations in accordance with changes to the CA 2003 introduced by the Security Act. The Security Regulations came into force on 1 October 2022.

The Security Regulations detail specific security measures that must be implemented by PECN and PECS providers, including the following:

• design (and redesign, where appropriate) and construct networks in a manner that reduces the risks of security compromises, and maintain the network in manner which reduces the risk of security compromises occurring;
• use such technical means to protect data that relate to the operation of the network and/or service and to protect functions of the network and/or service;
• implement measures to monitor and analyse access to security critical functions to identify anomalous activity that may involve the risk of a security compromise occurring;
• identify and reduce the risks of security compromises occurring as a result of things done or omitted by third party suppliers;
• take measures to reduce the risk of security compromises occurring that consist of unauthorised access to the network, including through multi-factor authentication for access to an account capable of making changes to security critical functions and the implementation of a procedure regarding significant or manual changes to security critical functions;
• take measures to prepare for the occurrence of security compromises and to enable recovery from security compromises;
• provide appropriate and proportionate management of those responsible for taking measures to ensure the security of the network and/or service in accordance with the provider’s legal obligations, and ensure that those who are responsible are competent and given sufficient resources;
• regularly review the security measures implemented, taking into account relevant developments relating to the risks of security compromises occurring;
• deploy patches and/or mitigations that are made available relating to risks of security compromises occurring, and identify the need for security updates and equipment upgrades;
• carry out tests in relation to the network and/or for the purposes of identifying the risks of security compromises occurring. The tests should be carried out without notifying those responsible for identifying and responding to risks of security compromises occurring; and
• in certain circumstances, share information about security compromises with other providers and provide assistance.

Companies Act 2006 (“CA 06”)

Although company law in the UK does not impose direct cybersecurity obligations on companies, company directors have a number of legal duties and responsibilities as set out in the CA 06. Two of these duties may be interpreted as requiring company directors to take account of cyber-risks and ensure an adequate level of cybersecurity has been implemented. These duties are: (i) the duty to promote the success of the company; and (ii) the duty to exercise reasonable care, skill and diligence.

In accordance with these duties, directors should inform themselves of the cybersecurity threats facing the company, understand the risk levels, and implement measures to mitigate these risks.

ICO Guidance on Cybersecurity

Organisations in the UK must also take account of the guidance issued by the ICO from time to time relating to cybersecurity. The guidance issued by the ICO on cybersecurity recommends that organisations adopt the following measures relevant to risk-management:

• consider obtaining Cyber Essentials certification;
• track and record all assets that process personal data;
• minimise the opportunity for attacks by minimising available services and controlling connectivity;
• implement access controls across systems, networks and software. Also implement physical access controls;
• manage end user devices to ensure that organisational controls can be implemented;
• use strong passwords and implement multi-factor authentication;
• deploy anti-virus and anti-malware products and ensure regular network scanning;
• keep software and hardware up-to-date and implement a policy that defines the patch management process, ensuring that priority is given to patches relating to internet-facing services, as well as critical and high risk patches;
• use encryption and/or pseudonymisation where appropriate; – implement a robust back-up strategy (including use of at least one off-site back-up);
• train personnel to recognise cybersecurity threats and how to respond;
• implement a process for regularly checking security software messages, access control logs and other reporting systems for suspicious activity;
• run regular vulnerability scans, virus and malware scanning, and penetration tests. The results should be recorded together with remediating action plan;
• ensure that web services are protected from common security vulnerabilities (e.g., SQL injection and others described in widely-used publications);
• implement appropriate policies and procedures addressing cybersecurity and data privacy;
• take steps to minimise the volume of data (particularly personal data) being held; and
• conduct security audits on IT providers.

A failure to adopt these measures without good reason may attract criticism from the ICO in the event of an investigation and exacerbate the level of any fines imposed.

Certain requirements regarding supply chain management do exist pursuant to the UK’s cybersecurity laws. A non-exhaustive list of requirements is set out below.

NIS Regulations

The NIS Regulations impose certain requirements on in-scope entities relevant to supply chain management. In particular:

• Operators of essential services must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies; and
• Relevant digital service providers must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which they rely to provide, within the UK, the services of: (i) online marketplaces; (ii) online search engines; or (iii) cloud computing services.

The National Cyber Security Centre (“NCSC”) has also published supply chain security guidance, which outlines 12 principles designed to help in-scope entities establish effective control and oversight over their supply chains.

PSTI and PSTI Regulations

The PSTI and PSTI Regulations establish obligations across the supply chain of in-scope actors, focusing on manufacturers, importers, and distributors of in-scope consumer connectable products. For example:

• Importers have duties to not supply products where there is a compliance failure by a manufacturer, and to take action in relation to a manufacturer’s compliance failure; and
• Distributors have duties to take action in relation to a compliance failure by a distributor or manufacturer.

Information sharing requirements do exist pursuant to certain UK cybersecurity legislation. For example, the Security Act imposes a duty PECN and PECS providers to inform users where there is a significant risk of a security compromise occurring. The Security Regulations further specify that, in certain circumstances, PECN and PESC providers must share information about security compromises with other providers and provide assistance.

Incident reporting obligations are discussed in answer to question [41].

UK cybersecurity laws do not specifically mandate the appointment of a chief information security officer or person responsible for cybersecurity. However, various UK cybersecurity laws impose a requirement on in-scope businesses to take “appropriate and proportionate” measures to manage cybersecurity related risks, such as NIS, the Security Act, and the Security Regulations. The appointment of a chief information security officer (or similar) may amount to an appropriate and proportionate measure to manage such risks.

As noted in answer to question [1], the legal framework relating to cybersecurity in the UK spans a number of distinct laws, with specific laws and regulations for different industries. For example, a separate regime monitors compliance for the financial services and government authorities respectively. The following is offered by way of a non-exhaustive overview.

Financial Services

Financial services organisations in the UK are subject to regulation primarily originating from the Financial Services and Markets Act 2000.

Organisations falling within the remit of the Financial Conduct Authority (“FCA”) or the Prudential Regulatory Authority (“PRA”) are also subject to specific obligations, as set out in the FCA Handbook and PRA Rulebook. Banks, building societies, credit unions, insurers and certain high-risk investment firms are subject to FCA and/or PRA oversight.

FCA Handbook

Organisations subject to the FCA Handbook are required to establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in their processes and systems.

In complying with these obligations, an organisation firm should consider:

• the importance and complexity of processes and systems used in the end-to-end operating cycle for its products and activities;
• controls that will help prevent or identify system and process failures;
• whether the design and use of its processes and systems allow it to comply adequately with its regulatory and other requirements;
• the arrangements it has to ensure the continuity of its operations in the event that a significant process or system becomes unavailable; and
• the importance of monitoring any indicators of process or system risk.

In addition to these requirements, organisations should establish and maintain appropriate systems and controls to manage their IT systems and information security risks. Organisations subject to the requirements of the FCA Handbook must also implement measures to address operational resilience requirements.

PRA Requirements

The PRA Rulebook requires that organisations establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question.

Organisations must have appropriate security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access, and maintain the confidentiality of data at all times.

Public Authorities

Public authorities in the UK are subject to many of the same obligations concerning cybersecurity and the protection of personal data as detailed above (including obligations contained in the UK GDPR and the NIS Regulations). In addition, the Official Secrets Act 1989 (“OSA”) imposes obligations primarily on employees of UK government bodies. The OSA does not impose cybersecurity requirements as such; however, individuals subject to the OSA must take care to prevent the unauthorised disclosure of documents or articles in their possession which are subject to the OSA.

A breach of the OSA is a criminal offence, punishable by fines or imprisonment.

International cybersecurity standards often influence UK cybersecurity laws by providing a benchmark for compliance. For example, the NIS Regulations, Security Act, and Security Regulations require businesses to implement appropriate and proportionate cybersecurity measures. Adhering to international standards and achieving, for example, ISO certification(s) can help organisations demonstrate compliance with such legal obligations.

The UK’s cybersecurity laws impose various obligations in the context of cybersecurity incidents.

Key definitions include:

• NIS Regulations – An incident means “any event having an actual adverse effect on the security of network and information systems”.
• NCSC – The NCSC has defined a “cyber incident” as a “breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorized access or attempted access to a system or systems”.
• FCA Materiality – Organisations subject to FCA oversight must report material cyber incidents, and an incident is considered “material” if, for example, it results in a significant loss of data or loss of availability of a firm’s IT systems, affects a large number of customers, or results in authorised access to information and communication systems.

NIS Regulations

One of the NIS Regulations’ key obligations is the requirement to notify the relevant authority of the occurrence of incidents (including security breaches) which have had an impact on the delivery of its services.

If an operator of an essential service or a digital service provider suffers an incident which has a significant impact on, respectively, the continuity of the essential service, or the provision of the digital service, it must notify the relevant authority without undue delay and in any event no later than 72 hours after becoming aware of the incident.

Factors that must be considered include the number of users affected, the duration of the incident, the geographical spread, the extent of the disruption and the extent of the incident’s impact. When considering these factors, in-scope organisations are not required to collect additional information to which they do not have access.

If reportable, the organisation notifying must provide the following information:

• its name and the essential service or digital service it provides;
• the time that the incident occurred;
• the duration of the incident;
• information concerning the nature and impact of the incident;
• information concerning any, or any likely, cross-border impact of the incident; and
• any other information that may be helpful to the relevant authority.

Directors Duties

In line with a directors duty to promote the success of the company, and to exercise reasonable care, skill, and diligence (CA 06), in response to the occurrence of a cybersecurity incident organisations should:

• execute the applicable breach response policy and procedures;
• consider what, if any, notifications to regulators or other persons must be made;
• address the incident and takes steps to mitigate the damage caused;
• report the incident to the relevant authorities;
• report the incident to any relevant insurance providers; and
• investigate the incident and maintain a record of the incident and investigation.

Where relevant, organisations should also consider whether the cybersecurity incidents need to be disclosed in annual reports or to the market if the cybersecurity incident is considered “insider information”.

In addition, if a company is preparing a prospectus as part of the process for raising equity or debt on the market there is a requirement to describe relevant risks. A company that has suffered cybersecurity incidents should consider whether to disclose this in its prospectus.

CMA

Upon the discovery of any cybersecurity incidents or breaches of the CMA 1990, organisations should take steps to preserve all relevant records relating to such incidents and report to the relevant authorities as soon as possible.

A notification to the police for a suspected CMA 1990 offence might also require a notification to the ICO (or other regulators) if the incident is also a relevant incident for the purposes of the DPA,  NIS Regulations, Security Act, PECR or Financial Conduct Authority Handbook/Prudential Regulatory Authority Rulebook.

FCA Notification

Organisations subject to FCA oversight must report material cyber incidents. As explained above, an incident is considered material if, for example, it results in a significant loss of data or loss of availability of a firm’s IT systems, affects a large number of customers, or results in authorised access to information and communication systems.

PRA Notification

Organisations subject to the PRA Rulebook are also subject to general notifications requirements.

Organisations must notify the PRA if they become aware, or have information which reasonably suggests that, any matter which could have a significant adverse impact on the firm’s reputation or affect the organisation’s ability to continue to provide adequate services to its customers has occurred, may have occurred, or may occur in the foreseeable future. A data breach or other cybersecurity incident of a material nature is likely to trigger this general requirement to notify the PRA.

In the UK, cybersecurity law is enforced as a matter of civil and criminal law.

The authority responsible for enforcement varies depending on the relevant legislation and sector in which businesses operate. By way of example:

• Ofcom – Ofcom is also responsible for overseeing compliance with the CA 2003 and the Security Act, and the relevant requirements on security (including cybersecurity) of telecommunications service providers.
• OPSS – The OPSS is responsible for overseeing compliance with the PSTI 2022 and PSTI Regulations.
• NIS Regulations – The NIS Regulations are enforced by a variety of competent authorities which vary according to the sectors in which the relevant in-scope entity operates.
• PSTI 2022 and PSTI Security Regulations – The Secretary of State is empowered to enforce the PSTI 2022 and PSTI Security Regulations (although the Secretary of State may also delegate its enforcement powers).
• FCA – The FCA may take enforcement action against organisations in breach of its “Principles for Business”, which includes a general requirement for in-scope organisations to disclose things to the FCA that the regulator would reasonably expect to be notified about.

Typically, authorities responsible for enforcement will engage with the relevant in-scope entity before commencing enforcement action.

Regulators are given wide-reaching powers to ensure compliance with cybersecurity laws in the UK. By way of example, the NIS Regulations allow: (i) competent authorities to conduct inspections to assess if the an in-scope organisation has met its obligations under the NIS Regulations; and (ii) provides the ICO with the power to inspect relevant organisations (i.e., those that provide online search engines, online marketplaces and cloud computing services), to assess whether they are meeting cybersecurity obligations.

The ICO is able to inspect in-scope organisations themselves, appoint a third party to complete an inspection, or require the organisation to appoint a third party, and providers of in-scope online services must take steps to assist with any such inspection (which can include paying for ‘reasonable costs’ of the inspection, co-operating with the inspectors, and allowing the inspectors access to documents and information that may be relevant). Failure to take these steps can lead to the ICO imposing a penalty.

Such inspections will include reviews of personal data and associated logs and audit trails, and are likely to include a review of both manually and electronically stored data. The ICO will use the data obtained in the inspection to evaluate how the relevant organisation maintains systems to protect data and prevent cybersecurity breaches.

Regulators are given wide-reaching powers to ensure compliance with cybersecurity laws in the UK. The following is provided is a non-exhaustive overview,

NIS Regulations

The NIS Regulations allow competent authorities to:

• impose significant fines on organisations for non-compliance (the level of the applicable fine will be determined with reference to the nature of the non-compliance, and fines can reach a maximum of £17 million);
• conduct inspections to assess if the an in-scope organisation has met its obligations under the NIS Regulations;
• serve information notices to require an organisation to provide information to enable the regulator to assess the organisation’s compliance with the NIS Regulations; and
• serve enforcement notices which set out the steps that the organisation must take to rectify identified failures by the organisation.

Penalties issued under the NIS Regulations must be appropriate and proportionate to the failure. Penalty notices are reserved for the most serious breaches, for example, when there has been “willful, deliberate or negligent acts, or repeated breaches of information rights obligations” that cause “harm or damage to individuals”.

PSTI and PSTI Regulations

Similarly, under the PSTI and PSTI Security Regulations the Secretary of State (or a recipient of the Secretary of State’s powers) can:

• issue compliance notices where there are reasonable grounds to believe that a person has failed to comply with their obligations under PSTI 2022 or the PSTI Security Regulations;
• issue a stop notice where there are reasonable grounds to believe that a person is carrying on, or is likely to carry on, an activity in violation of PSTI 2022 or the PSTI Security Regulations; or
• issue a recall notice where the Secretary of State: (i) has reasonable grounds to believe that there is a compliance failure in relation to any UK consumer connectable products that have been supplied to customers; (ii) considers that the action (if any) being taken by any relevant person in relation to the compliance failure is inadequate; and (iii) considers that any other action which they may take would not be sufficient to deal with the risks posed by the compliance failure.

If the Secretary of State is satisfied (on the balance of probabilities) that there has been a failure to comply with the requirements of PSTI 2022 and the PSTI Security Regulations, a monetary penalty notice may be issued (up to a maximum of the greater of £10 million or 4% or worldwide revenue).

The Security Act

The maximum penalties for non-compliance with an obligation set forth in the Security Act are fines of up to £100,000 per day or 10% of turnover.

PECN and PECS providers that violate their obligations under the Security Act are also exposed to civil liability. The Security Act explicitly provides that the obligations on PECN and PECS providers with respect to security of the PECN and PECS are owed to every person who may be affected by a violation of such obligations. Where a breach of an obligation set out in the Security Act causes a person to sustain loss or damage, this is actionable as a civil claim. The level of the applicable fine will be determined with reference to the nature of the non-compliance.

CMA 1990

A person guilty of an offence under the CMA 1990 may be subject to a fine or imprisonment. The level of the fine or the length of the sentence will vary according to the offence and its severity. For the most serious offences, it is possible to be imprisoned for life.

Yes, penalty fines are calculated with reference to a number of guidelines. Thresholds are also contained within the provisions of many relevant pieces of legislation.

For example:

• NIS Regulations – Penalty fines issued under the regime established by the NIS Regulations are calculated with reference to the provisions of Regulation 18.
• As outlined in Regulation 18, the amount of penalty fine will depend on whether the organisation’s breach is judged to be “material”, and the NIS Regulations define a “material contravention” as one that indicates a failure to take (or to adequately take) one or more steps required under an enforcement notice within the period specified in the notice, or if no enforcement notice was served, one of the failures outlined in Regulation 17 (1).
  • If the enforcement authority determines that contravention was not material, the fine cannot exceed £1 million.
  • If the enforcement authority determines that the contravention is material the fine cannot exceed £8.5 million.
  • However, if the contravention is judged as being material, and something that could have created significant risk to, or significant impact on, or in relation to, the service provision by the operator of an essential service or a relevant digital service provider, the fine can be as much as £17 million.
• Ofcom – As discussed in question [1], Ofcom is the authority responsible for issuing penalty fines for organisations who fail to comply with obligations set forth in the Security Act. The maximum penalties are fines of up to £100,000 per day of 10% of turnover.

Enforcement decisions in the UK are open to appeal, although the precise mechanism for appealing will vary between legislation. For example:

• NIS Regulations – Appeals against decisions made by a competent authority under the NIS Regulations can be made to the First-tier Tribunal.
• Communications Act – Appeals against decisions made by Ofcom or the Secretary of State under certain provisions of the Communications Act can be made to the Competition Appeal Tribunal.
• PSTI – Appeals against enforcement notices made by the Secretary of State under the PSTI and PSTI Regulations can be made to the First-tier Tribunal.

The ICO has shown a willingness to bring enforcement action against organisations that fail to fully implement appropriate cybersecurity measures. Particular attention appears to be being paid to organisations who operate in the healthcare sector, or support other essential public services.  In this context, ransomware attacks continue to generate significant enforcement interest.