United Kingdom General Data Protection Regulation (UK GDPR)

The Data Protection Act 2018, as well as the GDPR, forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

Highlights

Territorial Scope:

The UK GDPR applies to the processing of Personal Data in the context of the activities of an establishment of a Controller or a Processor in the UK, regardless of whether the processing takes place in the UK or not.

The UK GDPR applies to the processing of Personal Data of Data Subjects who are in the UK by a Controller or Processor not established in the UK, where the processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, to such Data Subjects in the UK; or
• the monitoring of their behavior as far as their behavior takes place within the UK.

The UK GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

Principles:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

Lawfulness of Processing:

Processing is lawful only if and to the extent that at least one of the following applies:

• The Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes; or
• Processing is necessary:
  
  • For the performance of a contract;
  • For compliance with a legal obligation;
  • To protect the vital interests of the Data Subject or of another natural person;
  • For the performance of a task carried out in the public interest; or
  • For the purposes of the legitimate interests pursued by the Controller or by a third party.
• Introduction under the Data (Use and Access) Bill (DUAA) 2025 of a “recognised legitimate interest” ground whereby data controllers can process personal data provided it meets a condition in Annex 1. They no longer have to engage the “legitimate interests” ground for such purposes, which requires satisfaction of a legitimate interests assessment (“LIA”) before processing.

Controller and Processor Obligations:

• Implement appropriate technical and organizational measures to ensure and to demonstrate that processing is performed in accordance with the UK GDPR.
• Implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data protection principles by design and by default.
• For Controllers or Processors not established in the UK, designate in writing a UK representative.
• Govern processing by a Processor by a contract or other legal act under UK domestic law that is binding on the Processor with regard to the Controller and that sets out the required provisions.
• For Processors, not to process Personal Data except on instructions from the Controller, unless required to do so by UK domestic law.
• Maintain a record of processing activities.
• Cooperate on request with the Information Commissioner’s Office (ICO).
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• For Controllers, in the case of a Personal Data Breach, notify the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of it.
• For Processors, notify the Controller without undue delay after becoming aware of a Personal Data Breach.
• For Controllers, communicate the Personal Data Breach to the Data Subject without undue delay when the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons.
• Carry out a data protection impact assessment where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
• Designate a data protection officer where:
  
  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the Controller or the Processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of Data Subjects on a large scale; or
  • the core activities of the Controller or the Processor consist of processing on a large scale of Special Categories of Personal Data pursuant to Article 9 or Personal Data relating to criminal convictions and offenses referred to in Article 10.

Data Subject Rights:

The Controller shall provide information on request to the Data Subject without undue delay and in any event within 1 month of receipt of the request. That period may be extended by a further two months where necessary, taking into account the complexity and number of the requests.

• Right of access
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to data portability
• Right to object to processing of Personal Data
• Right not to be subject to a decision based solely on automated processing, including Profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Introduction under DUAA 2025 of a “stop the clock” provision which pauses the statutory timeframe (‘applicable time period’) to respond to requests from data subjects concerning their right to receive information relating to the processing of their personal data. 

DUAA also introduces insertions to Article 22 of the GDPR which says that a significant decision (which is an ADM-only processing where it has a legal or similar effect) based on processing of special category personal data described in Article 9(1) UK GDPR is permitted if 1 of 2 conditions is satisfied:

1. Explicit consent 
2. The decision is (i) necessary for the entering/performance of contract between data subject/controller; or (ii) required or authorised by law; and Article 9(2)(g) UK GDPR is engaged

Safeguards must be put in place if a significant decision is taken by a data controller. 

Cross-border Data Transfers to Third Countries or International Organizations:

• Transfers on the Basis of an Adequacy Decision: A transfer of Personal Data to a third country or an international organization may take place if the UK determines there are adequate levels of legal protection for personal data. An adequacy decision is based on the UK’s adequacy regulations, which set out in law that the legal framework in that third country, territory, or international organization, or in a particular sector in a country or territory, has been assessed as providing adequate protection for people’s rights and freedoms about their Personal Data.
• Transfers subject to Appropriate Safeguards: In the absence of adequacy regulations, a Controller or Processor may transfer Personal Data to a third country or an international organization only if the Controller or Processor has provided appropriate safeguards, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available. [Example: UK International Data Transfer Agreement (IDTA).]
• Binding Corporate Rules: Binding corporate rules are data protection policies adhered to by companies established in the UK for transfers of Personal Data to receivers outside the UK within multinational corporate groups or groups of undertakings or enterprises. UK Binding Corporate Rules are approved by the ICO.

Personal Data Breach Notification:

• Timeline for Notification to the ICO: Without undue delay and, where feasible, not later than 72 hours after becoming aware of a Personal Data Breach (unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons). The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach.
• Requirements for Notification to the ICO: The notification shall at least:
  
  • Describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  • Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • Describe the likely consequences of the Personal Data Breach; and
  • Describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
• Requirements for Notification to Affected Data Subjects: When the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the Personal Data Breach to the Data Subject without undue delay. Such notification should at least contain the information required in (ii)-(iv) above.
• When is Notification to Affected Data Subjects not required?
  
  • If the Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the Personal Data affected by the Personal Data Breach, in particular those that render the Personal Data unintelligible to any person who is not authorized to access it, such as encryption.
  • If the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialize.
  • If it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.

More Details

Definitions:

• Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
• Data Subject: An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• Processor: A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
• Profiling: Any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
• Special Categories of Personal Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The UK GDPR also has restrictions on the processing of Personal Data relating to criminal convictions and offenses.

Penalties:

Infringements of certain provisions can be subject to administrative fines up to £8.7 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Infringements of other provisions, such as the basic principles for processing and consent, data subject rights, and cross-border transfers of personal data to third countries or international organization, can be subject to administrative fines up to £17.5 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Remedies, Liability, and Complaints:

• Right to Lodge a Complaint with the ICO: Every Data Subject has the right to lodge a complaint with the ICO if the Data Subject considers that the processing of Personal Data relating to him or her infringes the UK GDPR.
• Right to an Effective Judicial Remedy against the ICO: Each natural or legal person has the right to an effective judicial remedy against a legally binding decision of the ICO concerning them.
• Right to an Effective Judicial Remedy against a Controller or Processor: Each Data Subject has the right to an effective judicial remedy where he or she considers that his or her rights under the UK GDPR have been infringed as a result of the processing of his or her Personal Data in non-compliance with the UK GDPR.

Effective Date:

January 1, 2021

NIS implements the Network and Information Services Directive (NIS Directive), and introduces mandatory breach reporting to sector specific competent authorities or the ICO, as applicable, for Operators of Essential Services (OES) or Relevant Digital Service Providers (RDSP).  

The application of the NIS Regulations 2018 is not limited to breaches involving personal data.

Highlights

Territorial Scope: 

NIS applies to two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs). The ICO only regulates RDSPs, not OES. 

RDSPs:

You are a ‘relevant digital service provider’ if you:

• provide one or more of the following digital services: an online search engine, an online marketplace, and a cloud computing service;
• have your head office in the UK, or have nominated a UK representative; and
• don’t meet the definition of a micro or small enterprise – this definition applies where you have fewer than 50 staff and an annual turnover or balance sheet of below €10 million.

Penalties: 

Fines for non-compliance must be effective, proportionate, and dissuasive. 

Fines for essential entities can be up to €10,000,000 or 2% of the total worldwide annual turnover, whichever is higher. For important entities, fines can be up to €7,000,000 or 1.4% of the total worldwide annual turnover, whichever is higher.

If the compliance violation can lead to a personal data breach under GDPR, competent authorities must inform the relevant supervisory authorities, who can impose fines under GDPR for the same conduct.

Effective Date: May 10, 2018

The proposed Bill will broaden the existing Network and Information Systems (NIS) Regulations 2018 to bring a wider range of digital services, and supply chains, in scope of cyber law. 

Highlights

1. Managed service providers will be brought into scope and could include those offering services such as IT infrastructure, IT remote support and SOCs. 
2. The Bill will enable the Government to set stronger supply chain duties for operators of essential services (OES) and relevant digital service providers (RDSP) in secondary legislation.
3. Enhanced powers for the ICO such as expanded criteria for the ICO to use existing current power to serve information notices on organisations that provide digital services.
4. The Bill will update incident reporting criteria and timelines.

Effective Date: [TBC – likely to be laid before Parliament in Q4 2025]

Highlights

The Telecommunications (Security) Act 2021 (the “Act”) creates a framework imposing cyber security obligations on the telecoms industry in the UK. The Act imposes duties on public electronic communications service providers, in addition to those in the Communications Act 2003, creating more specific security obligations.

These additional duties include: to protect network architecture, to monitor and analyse access and changes to the networks or service, to implement security upgrades within an appropriate timeframe, and to carry out testing to identify security risks.

Failure to comply with the security duties could result in fines of up to 10% of the provider's turnover or a fine of £100,000 per day.

If a provider fails to provide information or explain a failure to follow the Code of Practice (which sits alongside the Regulations), Ofcom can impose a fine of up to £10,000,000 and £50,000 per day.

Enforcement and sanctions: 

Ofcom is responsible for enforcing the Act. They publish procedural guidance to set out its approach to monitoring the industry. In the case of non-compliance, sanctions of up to 10% of global turnover can be issued.

Ofcom can impose interim measures to address adverse impacts on a network, and the Act provides the right for a person who suffers loss due to a provider’s non-compliance to seek restitution in civil proceedings, with Ofcom’s consent.

Effective Date: October 1, 2022

The UK GDPR sits alongside the PECR. It applies to sending electronic marketing or using cookies or similar technologies. 

Highlights

Duties: 

Public electronic communications service providers must take appropriate technical and organisational measures to safeguard the security of their services. 

They must: ensure that personal data may only be accessed by authorised personnel for legally authorised purposes, protect personal data which they store or transmit against, accidental or unlawful destruction, accidental loss or alteration, unauthorised or unlawful storage, processing, access or disclosure and ensure a security policy regarding the processing of personal data is implemented.

Effective date of most recent version: March 29, 2019

The Computer Misuse Act 1990 defines the illegal access and modification of computer systems and sets penalties for such actions.  

Highlights

The Computer Misuse Act 1990 created three offences:

1. unauthorized access to computer material, 
2. unauthorized access with intent to commit or facilitate commission of further offences, and 
3. unauthorized modification of computer material.

Sanctions: 

The offence of unauthorized access to computer material is punishable on summary conviction by imprisonment for a term not exceeding the general limit in a magistrates’ court (up to 12 months in Scotland) or a fine not exceeding the statutory maximum, or both.

Upon conviction on indictment, the offence is punishable by imprisonment for a term not exceeding two years, and/or a fine. 

The offence of unauthorized access with intent to commit or facilitate commission of further offences is punishable in the same way on summary conviction, but by imprisonment for a term not exceeding five years and/or a fine if an individual is convicted on indictment.

The offence of unauthorised modification of computer material is punishable in the same way on summary conviction, but by imprisonment for a term not exceeding ten years and/or a fine if an individual is convicted on indictment.

Effective Date: August 29, 1990