Information Security Laws in the UK

The Data Protection Act 2018 (DPA), is an integral part of the UK's data protection framework. This act requires organisations, including businesses and government departments, to inform customers about their data-handling practices. DPA offers new ways for customers to have more control over their data, like being able to access and delete their data.

According to the Government website, anyone responsible for using personal data must make sure the information is:

• "used fairly, lawfully and transparently
• used for specified, explicit purposes
• used in a way that is adequate, relevant and limited to only what is necessary
• accurate and, where necessary, kept up-to-date
• kept for no longer than is necessary
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage"

The UK General Data Protection Regulation (UK GDPR) is a key law governing the processing of personal data for UK residents. It applies to businesses and organisations both within and outside the UK that handle UK personal data.

Following Brexit in 2020, the UK incorporated provisions of the EU GDPR into domestic law, alongside the Data Protection Act 2018 (DPA 2018). While the core principles, rights, and obligations remain unchanged, there are specific implications for data transfers between the UK and the EEA, as noted by the Information Commissioner’s Office (ICO).

UK organisations must comply with two versions of GDPR:

1. UK GDPR, which applies to the processing of UK residents’ personal data alongside the DPA 2018.
2. EU GDPR, which still governs the processing of EU residents’ personal data.

NIS2 is an update to the previous NIS which was the European Union's first cybersecurity directive. The key difference between the two directives is that the NIS2 Directive includes more sectors and guidelines across EU Member States.

Similar to GDPR, the NIS2 aims to harmonise measures and approaches across EU Member States to secure digital infrastructure by tackling ongoing cyber attacks. This new legislation impacts more organisations than the previous directive, requiring additional security measures and having more consequences for non-compliance.

The NIS2 generally applies to public and private sectors that provide critical services and qualify as medium-sized or large-sized enterprises that provide services to/within the EU.

DORA (Digital Operational Resilience Act) aims to protect the financial services sector. Banks, insurance companies, investment firms, payment service providers, electronic money institutions and more, will be impacted by DORA.

This type of legislation covers the following:

• ICT Risk Management
• ICT Third-Party Risk Management
• Digital Operational Resilience Testing
• ICT-Related Incidents
• Information Sharing
• Oversight of Critical Third-Party Providers

The UK Operational Resilience Framework is essential for maintaining financial stability, ensuring that firms can withstand and adapt to disruptions rather than amplify them.

This framework goes beyond traditional business continuity and disaster recovery, requiring financial firms and Financial Market Infrastructures (FMIs) to have robust plans in place to maintain critical services during disruptions.

Examples of Disruptions:

• Cyberattacks
• Physical threats
• IT system outages
• Third-party supplier failures
• Natural hazards (e.g., fires, floods, severe weather, pandemics)

The EU Cybersecurity Act strengthens the role of ENISA, the EU Agency for Cybersecurity, and introduces a unified certification system for digital products and services. This framework ensures security across the EU and simplifies compliance by allowing businesses to certify ICT solutions once for recognition in all member states.

The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for manufacturers and retailers of digital products. It ensures that cybersecurity is considered throughout a product’s lifecycle, from design and development to maintenance.

The act simplifies the identification of secure hardware and software by setting clear standards. Manufacturers must provide ongoing security support, and high-risk products will require independent third-party assessment before being sold in the EU.

The Computer Misuse Act safeguards personal data stored by organisations from unauthorised access or alteration. It specifically criminalises the following actions:

1. Unauthorised access to computer material (hacking)
2. Unauthorised access with intent to commit or facilitate the commission of further offences (stealing data or planting viruses with the intent to destroy a device or network)
3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer, etc. (examples of this would be spyware, malware and electronic vandalism)

3ZA.Unauthorised acts causing, or creating risk of, serious damage

3A. Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA

Failure to comply with the Computer Misuse Act can lead to a variation of punishments from heavy fines to imprisonment.

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is a comprehensive legal model designed to regulate the development and use of AI across the European Union. It classifies AI systems based on risk levels—ranging from minimal to unacceptable—imposing stricter requirements on high-risk applications, such as those used in healthcare, finance, and law enforcement.

The law aims to ensure AI is transparent, safe, and aligned with fundamental rights while preventing harmful practices like biometric surveillance and discriminatory algorithms. Its relevance is particularly significant in sectors where AI influences critical decision-making, ensuring accountability and protecting individuals from potential risks associated with automated systems.

The Telecommunications (Security) Act 2021 strengthens the UK's cybersecurity system by imposing stricter security requirements on telecom providers to protect networks from cyber threats and state-sponsored attacks. It grants the government greater oversight, enabling it to set security standards and issue compliance directions to telecom operators. The law is in place to address vulnerabilities in critical national infrastructure, particularly as 5G and fibre networks expand. It is especially relevant to the telecommunications sector, ensuring providers implement strong security measures to safeguard national security, prevent data breaches, and maintain the resilience of communication services relied upon by businesses and the public.

The Privacy and Electronic Communications Regulations (PECR) govern how organisations can use electronic communications for marketing, data security, and privacy.

There are specific rules on:

• marketing calls, emails, texts and faxes;
• cookies (and similar technologies);
• keeping communications services secure; and
• customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

These regulations complement the UK GDPR and Data Protection Act 2018.

The law is in place to protect individuals from unsolicited communications, spam, and data misuse, reinforcing digital privacy rights. PECR is particularly relevant to sectors such as marketing, telecommunications, and e-commerce, where businesses must comply with strict rules when handling personal data and engaging with customers electronically.