The United Kingdom Data Protection Laws' Incident Response Guidelines
How to prepare your organization for compliance with the
Data Protection Act 2018 and UK GDPR
The United Kingdom’s (UK) General Data Protection Regulation (GDPR) was created in response to the UK’s departure from the European Union. It now operates in conjunction with the Data Protection Act 2018 (DPA 2018), a law previously introduced to implement the EU GDPR.
The UK GDPR and EU GDPR are similar but not identical. Businesses need to be aware of their key differences.
Automate United Kingdom privacy obligations with the BreachRx platform
Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response
Who Must Adhere to Data Protection Laws in the UK
Any organization that controls or processes data on individuals located in the UK must adhere to the country’s privacy laws, regardless of where the organization is located. This includes any activities related to offering goods and services to individuals located in the UK as well as monitoring the behavior of individuals located in the UK.
| What types of data are covered by the UK’s data protection laws? |
|
| What’s the difference between a controller and a processor? |
|
| What are the restrictions for transferring data outside the UK? | Controllers and processors can only transfer personal data to specific countries that have been deemed to have adequate controls in place or in situations where the organization creates the appropriate safeguards. |
| What are the exemptions to the UK’s data protection laws? |
|
How the UK Enforces the DPA 2018 and UK GDPR
The Information Commissioner Officer (ICO) is responsible for enforcing the UK’s data protection laws and providing guidance on enforcement.
What Enforcement Powers Exist?
The ICO has broad powers to investigate potential instances of non-compliance and to correct issues by conducting data protection audits, issuing public warnings, and issuing orders for remediation activities.
What Are Penalties for Non-Compliance?
The ICO can also impose monetary penalties up to 4% of total worldwide turnover of the preceding year or £17.5 million (whichever is higher) for non-compliance. Criminal penalties are also possible, but there have only been monetary fines to date.
What Rights Do Individuals Have?
Individuals can lodge a complaint with the ICO and bring private claims against organizations if they have suffered material or non-material (i.e. distress) damage following a data breach.
Incident Response Measures Required Under the DPA 2018 and UK GDPR
Organizations are subject to several obligations relating to data protection under the DPA 2018 and UK GDPR, including appointing a Data Protection Officer (DPO) and issuing notifications following a personal data breach.
| What is a personal data breach? | Any incident that affects the confidentiality, integrity, or availability of personal data. |
| What do organizations need to do following a data breach? | Contain the breach and assess the potential risk for affected individuals, then issue the appropriate data breach notifications. |
| When do organizations need to notify the ICO? | Organizations must notify the ICO unless they can demonstrate that the breach is unlikely to result in a risk to rights or freedom (in which case they must document the reasoning for this decision, the facts of the breach, and any remedial action taken). The ICO offers a self-assessment for organizations to determine whether or not they need to report a breach, found here. |
| How should organizations notify the ICO? | Organizations must report all qualifying breaches to the ICO using this online form without undue delay, no later than 72 hours after becoming aware of it. Any delays must include a reason why, though details can be shared in phases as available. The notification should include:
|
| When do organizations need to notify affected individuals? | Organizations must notify affected individuals if the data breach is likely to result in a high risk to their rights and freedoms. This requires assessing:
|
| How should organizations notify affected individuals? | Organizations must notify affected individuals without undue delay, but timing beyond that is not specific. The notification should use clear, plain language and include:
|
What Can Trigger a Notification Under the UK’s Data Protection Laws?
Any breach of personal data can qualify as a notifiable incident under the UK’s data protection laws, including situations in which data gets lost or shared incorrectly. Common examples include:
Ransomware
An attack in which hackers use malware to steal data and hold it captive in exchange for a payment. Even if the data is recovered, the exposure could put data subjects at risk.
Mistakenly Exposed Data
Mistakenly exposing data by sending it to the wrong person or sharing it on an insecure channel can create risk.
Password Attacks
An attack in which hackers gain unauthorized access to a legitimate user’s password and can then access secure systems, making personal data vulnerable to exposure.
What Do Companies Need to Prepare for the DPA 2018 and UK GDPR?
The UK’s data protection laws require companies to be proactive about securing individuals’ personal data and responding to incidents. This starts by gaining visibility into data, establishing clear security measures, and assigning responsibility over incident response plans.
It’s important to consider three phases of incident response preparation to ensure compliance with the DPA 2018 and UK GDPR:
Readiness
Proactively preparing incident response plans can reduce the costs of handling a breach and help return to business as usual faster. This readiness should include:
- Reviewing the requirements based on regulations and contracts
- Developing clear, action-oriented incident response plans accordingly
- Updating plans in accordance with any regulatory changes.
Response
The UK requires organizations to respond to an incident by notifying the ICO within 72 hours. This fast response can also help stem the fallout and retain customer trust. A quick and confident response requires:
- Identifying what happened and the impact
- Coordinating actions across departments
- Issuing notifications based on relevant laws
- Remediating, any issues if possible
- Reporting on the response.
Ongoing Management
Incident response planning must be an ongoing effort to capture changes to laws and contracts and to help return to business as usual following a breach. These ongoing efforts should include:
- Measuring and reporting on incident response efforts from a centralized dashboard
- Maintaining stakeholder alignment and awareness of responsibilities.
Achieving Privacy Compliance Through Proactive Incident Response
Evolving regulation makes it essential for every company to stay up to date on the
DPA 2018 and UK GDPR to maintain compliance and minimize risk.
The best step companies can take is to take a proactive approach to incident management.
Minimize your regulatory risk with the BreachRx platform
Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.
