United Kingdom - Data Breach Guide

United Kingdom

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

Yes. In the UK the general regime that applies to every organisation that processes personal data consists of the General Data Protection Regulation ("GDPR") and Data Protection Act 2018 Parts 1 and 2 ("DPA 2018"). We will refer to both of them as the "Data Protection Laws".

According to the Data Protection Laws organisations processing personal data are obliged to notify affected individuals and the regulator (this would be the Information Commissioner's Office ("ICO") in the UK) in respect of certain data breaches.

In addition, the following legislation in force applies to certain types of providers only who are under obligation of notifying the ICO and individuals affected should a data breach occurs. These are:

• The Privacy and Electronic Communications Regulations 2003 ("PECR") which applies to public electronic communications services (provision of services that allow individuals to send electronic messages, for example telecoms providers and internet service providers);
• The NIS Regulations 2018 ("NIS") that applies to providers of digital services (e.g. online marketplaces, online search engines or cloud services); and
• The eIDAS Regulation ("eIDAS") which applies to providers of trust services such as electronic signatures, electronic seals, electronic time stamps, electronic delivery services and website authentication certificates.
• The Data Protection Act 2018 Part 3 ("DPA-P3"), which applies to the processing of personal data for law enforcement purposes carried out by a competent authority (authorities with statutory functions for law enforcement purposes, mainly listed in Schedule 7 of the Act); and
• The Data Protection Act 2018 Part 4 ("DPA-P4") that applies to the processing of personal data by an intelligence service.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

According to the Data Protection Laws, a data controller must notify personal data breaches (defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed):

• To the ICO, when the breach is likely to result in a risk to the rights and freedoms of individuals; and
• To the individuals affected by the breach when the breach is likely to result in a high risk to the rights and freedoms of individuals.

On the other hand, a data processor must notify the data controller of any personal data breaches affecting the personal data processed under the instructions of the data controller.

Under PECR, data breaches of similar nature than those under the Data Protection Laws must be reported by the service provider in any case to the ICO, and also to customers if the breach is likely to adversely affect the privacy of both subscribers (who are a party to the service contract with the provider) and users of the public electronic communications service provided. These obligations take the place of GDPR breach reporting and service providers do not need to take any separate action to comply with GPDR.

PECR also states that if an organisation is responsible for delivering part of the service but does not have a direct contractual relationship with end users, it does not have to notify the ICO of a personal data breach, but it must immediately notify the organisation that does have the contractual relationship with end users and that organisation must then notify the ICO.

Entities to whom NIS applies are under obligation of notifying the ICO of any incidents provided that the incident has a substantial impact on the provision of the services. An incident is defined as any event having an actual adverse effect on the security of network and information systems, that jeopardizes the confidentiality, integrity or availability of information or an information system. The Digital Services Provider Regulations sets out the relevant parameters to consider the factors that need to be taken into account when assessing whether or not the ICO needs to be notified of such an incident. Consideration should also be taken as to whether the National Cyber Security Centre should be equally notified.

Under e-IDAS, the breach of security is defined as any breach of security or loss of integrity that has a significant impact on a trust service provided or on the personal data maintained therein. The ICO clarifies that "if there is no harm caused, or there is only a minimal effect, this will not qualify as a breach" although the security measures implemented should be reviewed accordingly. Organisations governed by e-IDAS are under obligation of notifying the ICO when the breach of security of such a nature happens. If personal data is compromised by the breach, the notification requirement under GDPR/DPA 2018 will be considered to be met under the e-IDAS notification too. Users and any other individual affected by the breach must be informed too should the breach be likely to adversely affect them.

Law enforcement bodies acting as data controllers will have similar notification requirements to both the ICO and individuals if a personal data breach happens under similar notification requirements than in GDPR. In addition, they will also have to notify other controllers potentially based in the European Union when the personal data compromised by the breach has been transmitted by or to such a controller.

Intelligence service bodies will be under similar notification requirements to the ICO than law enforcement bodies provided that the data breach is qualified as a "serious" one, which is defined as a breach that seriously interferes with the rights and freedoms of the data subject. However, there is no obligation to notify individuals under Part 4 of the DPA 2018.

In both cases data processors processing personal data under the instructions of law enforcement and intelligence service bodies are under obligation of informing them should they become aware of a data breach.

Where organisations need to conduct a risk assessment to assess the extent to which rights and freedoms have been affected by a breach it is relevant to focus on the potential negative consequences for the individuals. The risk assessment should take place with immediate effect once the organisation is aware of the breach as strict time scales apply when reporting a notifiable data breach.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

For easier reference, we have drafted the following table setting out the notification timescales, forms required and content of each of the data breach notifications regulated in the UK:

It is important that organisations are aware that the clock starts ticking on the duty to notify from the moment they become aware of the breach. Therefore, organisations need to be proactive when dealing with personal data breaches. Case law has demonstrated that the ICO will take into consideration whether or not the organisation has demonstrated a proactive approach and informed the affected individuals of the data breach when sanctioning such organisation in relation to the breach.

If the likelihood and severity of the risk affecting people's rights and freedoms is very low, the organisation does not have to report the breach, however organisations must keep a record of the breach and justify their decision not to notify the ICO or the individuals affected by the breach.

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

For easier reference, we have produced the following table in which the main risks and penalties are detailed:

In addition, the ICO's fines can be combined with other corrective powers such as serve an Enforcement Notice order if there has been a breach, requiring an organisation to take specified steps to comply with the law.

Failure to comply with an ICO enforcement notice, assessment notice (for a compulsory audit) or information notice (in which the ICO requires for the provision of information) may lead to more substantial fines of up to EUR 20,000,000, or 4 % of the organisation's total worldwide annual turnover, whichever is higher.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Notifying individuals in the UK is mandatory under different regimes as we have detailed above.

This obligation is assessed on the severity of the potential / actual impact on the individual and the likelihood of this happening. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach. On this basis, even if there were no legal obligation, it would still be recommended to inform individuals in a context in which they need to be aware of the breach to take steps to protect themselves from any adverse consequence.

1.6 What are the applicable (data protection) laws or guidelines within your country?

In the UK we are subject to:

• UK Data Protection Act 2018;
• General Data Protection Regulation 2018;
• Privacy and Communications Regulations 2003;
• The NIS Regulations 2018;
• The e-IDAS Regulation;
• Human Rights Act 1998;
• Freedom of Information Act 2000;
• Environmental Information Regulations 2004; and
• Information Commissioner's Office guidelines.

1.7 Contact information for the local Data Protection Authority:

For more information, contact: