The United Kingdom Data Protection Laws' Incident Response Guidelines

How to prepare your organization for compliance with the
Data Protection Act 2018 and UK GDPR

The United Kingdom’s (UK) General Data Protection Regulation (GDPR) was created in response to the UK’s departure from the European Union. It now operates in conjunction with the Data Protection Act 2018 (DPA 2018), a law previously introduced to implement the EU GDPR.

The UK GDPR and EU GDPR are similar but not identical. Businesses need to be aware of their key differences. 

Automate United Kingdom privacy obligations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who Must Adhere to Data Protection Laws in the UK

Any organization that controls or processes data on individuals located in the UK must adhere to the country’s privacy laws, regardless of where the organization is located. This includes any activities related to offering goods and services to individuals located in the UK as well as monitoring the behavior of individuals located in the UK.

What types of data are covered by the UK’s data protection laws?
  • Personal data: Any information relating to an identified or identifiable natural person, including but not limited to name, ID number, phone number, and location data.
  • Special categories of personal data: More sensitive types of data, including data about race, religion, sexual life, health, genetics, biometrics, and criminal convictions and offenses, are subject to tighter requirements.
What’s the difference between a controller and a processor?
  • Controller: The party that determines the purposes and means of the processing of personal data
  • Processor: The party that processes personal data on behalf of the controller
What are the restrictions for transferring data outside the UK?Controllers and processors can only transfer personal data to specific countries that have been deemed to have adequate controls in place or in situations where the organization creates the appropriate safeguards.
What are the exemptions to the UK’s data protection laws?
  • Processing covered by the Law Enforcement Directive
  • Processing for national security purposes
  • Processing carried out by individuals purely for personal/household activities

How the UK Enforces the DPA 2018 and UK GDPR

The Information Commissioner Officer (ICO) is responsible for enforcing the UK’s data protection laws and providing guidance on enforcement.

What Enforcement Powers Exist?

The ICO has broad powers to investigate potential instances of non-compliance and to correct issues by conducting data protection audits, issuing public warnings, and issuing orders for remediation activities.

What Are Penalties for Non-Compliance?

The ICO can also impose monetary penalties up to 4% of total worldwide turnover of the preceding year or £17.5 million (whichever is higher) for non-compliance. Criminal penalties are also possible, but there have only been monetary fines to date.

What Rights Do Individuals Have?

Individuals can lodge a complaint with the ICO and bring private claims against organizations if they have suffered material or non-material (i.e. distress) damage following a data breach.

Incident Response Measures Required Under the DPA 2018 and UK GDPR

Organizations are subject to several obligations relating to data protection under the DPA 2018 and UK GDPR, including appointing a Data Protection Officer (DPO) and issuing notifications following a personal data breach.

 

What is a personal data breach?Any incident that affects the confidentiality, integrity, or availability of personal data.
What do organizations need to do following a data breach?Contain the breach and assess the potential risk for affected individuals, then issue the appropriate data breach notifications.
When do organizations need to notify the ICO?Organizations must notify the ICO unless they can demonstrate that the breach is unlikely to result in a risk to rights or freedom (in which case they must document the reasoning for this decision, the facts of the breach, and any remedial action taken). The ICO offers a self-assessment for organizations to determine whether or not they need to report a breach, found here.
How should organizations notify the ICO?Organizations must report all qualifying breaches to the ICO using this online form without undue delay, no later than 72 hours after becoming aware of it. Any delays must include a reason why, though details can be shared in phases as available.

The notification should include:

  • A description of the personal data breach, including the categories/approximate number of individuals and personal data records concerned
  • Name and contact details of the DPO or other contact point
  • A description of the likely consequences
  • A description of the measures already taken or planned to deal with the breach and mitigate any adverse effects
When do organizations need to notify affected individuals?Organizations must notify affected individuals if the data breach is likely to result in a high risk to their rights and freedoms. This requires assessing: 

  • The severity of the potential or actual impact 
  • The likelihood of this impact occurring
How should organizations notify affected individuals?Organizations must notify affected individuals without undue delay, but timing beyond that is not specific.

The notification should use clear, plain language and include:

  • Name and contact details of the DPO
  • A description of the likely consequences
  • A description of the measures already taken or planned to deal with the breach and mitigate any adverse effects
  • Specific advice on steps individuals can take to protect themselves and what the organization is doing to help (if possible), such as forcing a password reset or a warning to look out for phishing emails or fraudulent activity

What Can Trigger a Notification Under the UK’s Data Protection Laws?

Any breach of personal data can qualify as a notifiable incident under the UK’s data protection laws, including situations in which data gets lost or shared incorrectly. Common examples include:

Phishing malware or trojan

Ransomware

An attack in which hackers use malware to steal data and hold it captive in exchange for a payment. Even if the data is recovered, the exposure could put data subjects at risk.

stolen-records

Mistakenly Exposed Data

Mistakenly exposing data by sending it to the wrong person or sharing it on an insecure channel can create risk.

ransomware

Password Attacks

An attack in which hackers gain unauthorized access to a legitimate user’s password and can then access secure systems, making personal data vulnerable to exposure.

What Do Companies Need to Prepare for the DPA 2018 and UK GDPR?

The UK’s data protection laws require companies to be proactive about securing individuals’ personal data and responding to incidents. This starts by gaining visibility into data, establishing clear security measures, and assigning responsibility over incident response plans.

It’s important to consider three phases of incident response preparation to ensure compliance with the DPA 2018 and UK GDPR:

Readiness

Proactively preparing incident response plans can reduce the costs of handling a breach and help return to business as usual faster. This readiness should include:

  • Reviewing the requirements based on regulations and contracts
  • Developing clear, action-oriented incident response plans accordingly
  • Updating plans in accordance with any regulatory changes.

Response

The UK requires organizations to respond to an incident by notifying the ICO within 72 hours. This fast response can also help stem the fallout and retain customer trust. A quick and confident response requires:

  • Identifying what happened and the impact
  • Coordinating actions across departments
  • Issuing notifications based on relevant laws
  • Remediating, any issues if possible
  • Reporting on the response.

Ongoing Management

Incident response planning must be an ongoing effort to capture changes to laws and contracts and to help return to business as usual following a breach. These ongoing efforts should include:

  • Measuring and reporting on incident response efforts from a centralized dashboard
  • Maintaining stakeholder alignment and awareness of responsibilities.

Achieving Privacy Compliance Through Proactive Incident Response

Evolving regulation makes it essential for every company to stay up to date on the
DPA 2018 and UK GDPR to maintain compliance and minimize risk.

The best step companies can take is to take a proactive approach to incident management.

Minimize your regulatory risk with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.