Summary
- UK GDPR and the Data Protection Act 2018 require businesses to apply security measures appropriate to the personal data they hold, using a risk-based approach.
- If a cyber attack compromises personal data and creates a risk to individuals, the business must report it to the Information Commissioner’s Office within 72 hours.
- Regulated businesses may face extra reporting duties under the NIS Regulations or FCA rules, and many commercial contracts add their own security and notification obligations.
- This guide explains the legal precautions and responses to cyber attacks for businesses in the United Kingdom.
- LegalVision’s business lawyers specialise in advising clients on cyber security and UK GDPR compliance.
- Tips for Businesses
Assess where your business holds personal data. Set up multi-factor authentication, encryption, backups and regular staff training. Write an incident response plan that names who acts and when. If an attack hits, contain it, notify your insurer and report any notifiable breach to the ICO within 72 hours.
A cyber attack becomes a legal problem the moment it puts personal data at risk. Under UK GDPR and the Data Protection Act 2018, you must apply security measures appropriate to the data you hold, using a risk-based approach rather than a fixed checklist. If an attack compromises personal data and creates a risk to individuals, you must report it to the Information Commissioner’s Office (ICO) within 72 hours. Regulated firms may also report under the NIS Regulations or FCA rules. Many commercial contracts add their own security and notification duties. This article explains the legal risks of a cyber attack, the precautions your business should take and what to do if data is compromised.
Why Do You Need a Cyber Security Strategy?
Various laws set out rules regarding security issues, including the UK GDPR, the Data Protection Act 2018, the NIS Regulations, and potentially sector-specific rules.
If your business handles personal data, you must take steps to keep that data secure. The UK GDPR requires you to implement technical and organisational measures appropriate to the level of risk. You must also demonstrate how you meet these duties through documented policies, up-to-date training, risk assessments, and internal procedures.
The UK GDPR does not set out a checklist of required security measures. Instead, it requires businesses to apply a level of protection appropriate to the nature of the personal data and the risk to individuals. This is a risk-based approach.
Security Measures
To determine what security measures are suitable, you should consider several factors, for example, the cost and complexity of implementation, the types of systems and security already in place, the nature of the personal data involved, and the potential harm if that data is lost or misused. For example, stronger measures may be needed when you process financial data, health information, or special category information.
If you operate in a regulated sector, additional rules may apply. The Network and Information Systems Regulations 2018 apply to certain operators of essential services and relevant digital service providers, who must report certain incidents. Similarly, FCA-regulated firms must report material cyber incidents under FCA rules. Other laws may also create reporting duties, depending on your industry and the nature of the incident.
Cybersecurity obligations may also be found in your contracts. Many commercial agreements now include strict security standards and breach notification requirements. A cyber incident could trigger disputes or claims, particularly if your failure to act causes damage.
Reducing Your Business’ Exposure to Cyber Risk
Reducing your risk starts with understanding your weak spots. You should assess how your business collects and stores data, what software and systems you rely on, and where vulnerabilities exist. This includes evaluating your own internal practices and those of your suppliers. Once you have a clear picture, you can implement appropriate controls.
You should formalise your approach through a written information security policy and a detailed incident response plan. These tools help ensure your business can respond effectively in an emergency, contain the breach, and meet its legal duties under the UK GDPR.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
Managing Third-Party and Supply Chain Risk
Many cyber attacks reach a business through its suppliers, not its own systems. If a supplier that processes your data is breached, you can still be liable as the data controller under UK GDPR. The ICO expects you to choose processors that provide sufficient security guarantees and to set those expectations in writing.
Your contracts should state the security standards each supplier must meet, require prompt notification of any breach, and set out who bears the cost if an incident causes loss. Without these terms, you may struggle to recover losses or to show the ICO that you managed the risk.
Before you engage a supplier, assess how they store and protect data and whether they hold recognised certifications. Review these arrangements regularly, because a supplier’s security can weaken over time. Strong supplier due diligence reduces both your legal exposure and the chance that someone else’s weakness becomes your breach.
What to Do if a Cyber Attack Leads to a Data Breach
If a cyber attack results in the unauthorised access, loss, or corruption of personal data, you must act quickly. Your first step should be to assess whether the incident poses a risk to individuals. If it does, you must report the breach to the ICO within 72 hours of becoming aware. If there is a high risk to individuals’ rights and freedoms, you must also inform them directly without undue delay.
Before doing anything else, you should notify your insurer. Most cyber insurance policies require early notification to preserve coverage. Prompt contact can also connect you to technical and legal experts, support your response, and ensure the claims process starts without delay.
This factsheet sets out how your business can become GDPR compliant.
Under the UK GDPR and the Data Protection Act 2018, you must report notifiable breaches to the ICO and inform individuals where necessary. The ICO can also advise you on managing the breach and help investigate it.
If your business falls within the scope of the NIS Regulations, you must notify the relevant competent authority if the incident meets the reporting threshold. Financial services businesses must follow specific procedures for reporting certain incidents. You may also have contractual duties to notify third parties such as clients, partners, or suppliers.
Documentation
Regardless of your reporting duties, it is essential to document what happened, how your business responded, and what steps you are taking to prevent future incidents. Regulators expect this level of accountability. You should also review your contracts, test your systems, and strengthen internal practices to prevent future issues.
The fallout from a cyber attack can quickly escalate. You may need to simultaneously manage regulatory investigations, contractual disputes, customer communications, and reputational concerns. If you delay or respond incorrectly, your risk exposure can significantly increase. Taking legal advice early can help you navigate these issues correctly before they escalate.
Key Takeaways
Cyber attacks create legal and operational risks. Depending on their sector, businesses have clear duties under laws like the UK GDPR, the NIS Regulations, and potentially other laws. If a cyber attack results in a data breach, your company may be required to report the incident, notify affected individuals, and take remedial action. A strong incident response plan and a clear understanding of your obligations will help you manage the outcome and protect your business in the future.
If you need help with UK GDPR compliance, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
What security measures does the UK GDPR require?
UK GDPR does not set a fixed checklist. It requires technical and organisational measures appropriate to the risk, such as encryption, access controls and staff training. Stronger measures apply to sensitive data, including financial, health or special category information.
Do the NIS Regulations apply to my business?
The Network and Information Systems Regulations 2018 apply to operators of essential services and certain digital service providers. If you fall within scope, you must report qualifying incidents to your competent authority, separately from any ICO reporting duty.
Can a cyber attack lead to ICO fines?
Yes. If poor security causes a personal data breach, the ICO can fine up to £17.5 million or 4% of annual worldwide turnover, whichever is higher, for serious infringements. The ICO considers how you prepared and responded.
Should you tell your insurer after a cyber attack?
Yes. Most cyber insurance policies require early notification to preserve cover. Prompt contact can also connect you to technical and legal experts who support your response and start the claims process without delay.
We appreciate your feedback! Request your free consultation now.
