Cybersecurity breach notification requirements
Produced in partnership with Nicola Fulford of Hogan Lovells and Chris Benn of Kemp Little LLP
Cybersecurity breach notification requirements

The following Commercial guidance note Produced in partnership with Nicola Fulford of Hogan Lovells and Chris Benn of Kemp Little LLP provides comprehensive and up to date legal information covering:

  • Cybersecurity breach notification requirements
  • Cybersecurity and the law
  • EU regulatory framework—security obligations and breach notification requirements
  • UK regulatory framework—security obligations and breach notification requirements
  • Notification consequences and failure to comply
  • What it takes to be cybersecurity breach ready
  • Consequences and practical tips to manage a cyber attack

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU laws, including those relating to cybersecurity and data protection. During this period, the UK generally continues to be treated as an EU (and EEA) state for EU and UK data protection law and cybersecurity purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection and cybersecurity laws that are anticipated to apply after the end of it, see Practice Notes: Brexit—implications for data protection and Brexit—cybersecurity.

This Practice Note is intended to provide an overview of the laws and regulations relating to cybersecurity, with a particular focus on:

  1. the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR)

  2. the Network and Information Systems Regulations 2018 (NIS Regulations), SI 2018/506 which implement the provisions of the Network and Information Systems Directive (NIS Directive), Directive (EU) 2016/1148, in the UK

  3. the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003), SI 2003/2426 which implement the provisions of the ePrivacy Directive, Directive 2002/58/EC in the UK and the proposed ePrivacy Regulation on Personal Data in Electronic