Cyber-security Issues & Increased Obligations under the GDPR

15th February 2017

Derby Office Icon

Blue Cyber fingerprint on computer screen

The National Cyber Security Centre (NCSC) opened this week and is promised to be the “authoritative voice on information security in the UK”.

It is intended that the NCSC will work with business and the public sector to provide information on emerging threats, provide support when attacks happen, and education on best practice to maintain online security.

It will supplement the already useful information that the Information Commissioner's Office (ICO) already publishes on its Data Security Incident Trends website.

This additional support should be seen as good news, if you handle personal data, as it should help you in addressing the regulatory burdens we discuss below.

It will also increase the pressure on you to take your duties as seriously as possible, as pleading ignorance or stupidity will be impossible to sustain as the sum total of knowledge and information available to you increases.

Security Under the DPA

It is already the case that if you are a data controller you have good reason to be on top of your security game and fully prepared.

Under the Data Protection Act (DPA), data controllers are under a duty to protect the personal data they control from cyber-security vulnerabilities, including cyber-attacks and cyber-crime; a duty which will change as the state of the art and threat environment changes.

This is a significant duty, and monetary penalties of up to £500,000 (currently) can be imposed by ICO for breach of this duty.

This duty is also no idle threat. The most high profile recent example is the cyber-attack on the telecom and internet service provider Talk Talk, who subsequently received the highest fine issued by the ICO to date of £400,000, for the simple reason of their having not identified that an unsecured server had been left connected to the internet, giving cyber attackers the ability to gain access to their customer database with ease.

You might of course be tempted to think about covering up any breach of security. Except for public communications providers, it is currently the case that there is no legal obligation to report any security breach under the DPA. However, the ICO is clear that they expect voluntary reporting of breaches (whether you are at fault or not), even if that means that that you might face a monetary penalty if the security breach is due to your poor security measures (reporting does not guarantee you will not be fined). Also, in this social media age, covering anything up is going to be difficult. So, any help you can get in terms of preparing for and dealing with security breaches is going to help you manage this reality better.

Security Under the GDPR

The General Data Protection Regulation (GDPR), which comes in to force in May 2018, replacing the DPA, hardens the existing position under the DPA.

Soon all organisations who handle personal data, whether for their own purposes (as data controller) or as a service to or on behalf of someone else (as data processor), will have even more reason to take cyber security extremely seriously, and to seek any help they can get.

The GDPR materially increases the regulatory burden and expectation on persons who handle personal data, and including by:-

(a) setting out the security obligations in more detail, and mandating better record keeping;

(b) extending the key security obligations for the first time to data processors (those who handle data on behalf of others) as well as data controllers;

(c) mandating reporting of security breaches for everyone, both to the ICO within 72 hours, and to affected data subjects; and

(d) increasing the maximum monetary penalty substantially to €10 million or 2% of annual global turnover, whichever is greater.

It will be very interesting to see in the coming weeks and months what guidance and assistance the NCSC may provide organisations in relation to cyber-security issues and their increased obligations under the GDPR.

Further Information and Legal Support

If you would like to know more about the GDPR and your obligations contact a member of our Information Law Team or take a look at one of our Geldards' Guides.




Geldards’ Dispute Resolution team promote new partner
Andrea Clayton, a dispute resolution specialist based in the Derby office, was promoted from Senior Associate to Associate Partner in February 2021 in the latest round of promotions at the firm.


The perils of lockdown live-in
In March 2020 the UK’s Deputy Chief Medical Officer suggested that couples should ‘test the strength of their relationship’ and consider moving in together.


Geldards Guide to General Data Protection Regulations (GDPR)
The General Data Protection Regulation (‘GDPR’) is the new EU data protection framework replacing the current Data Protection Directive implemented in the UK by the Data Protection Act 1998.


Lowri Phillips


Partner, Cardiff

+44 (0)29 2039 1758