Cybersecurity breach notification requirements
Produced in partnership with Nicola Fulford of Hogan Lovells and Chris Benn of Kemp Little LLP
Cybersecurity breach notification requirements

The following Commercial guidance note Produced in partnership with Nicola Fulford of Hogan Lovells and Chris Benn of Kemp Little LLP provides comprehensive and up to date legal information covering:

  • Cybersecurity breach notification requirements
  • Cybersecurity and the law
  • EU regulatory framework—security obligations and breach notification requirements
  • UK regulatory framework—security obligations and breach notification requirements
  • Notification consequences and failure to comply
  • What it takes to be cybersecurity breach ready
  • Consequences and practical tips to manage a cyber attack

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU laws, including those relating to cybersecurity and data protection. During this period, the UK generally continues to be treated as an EU (and EEA) state for EU and UK data protection law and cybersecurity purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection and cybersecurity laws that are anticipated to apply after the end of it, see Practice Notes: Brexit—implications for data protection and Brexit—cybersecurity.

Coronavirus (COVID-19): The Information Commissioner’s Office (ICO) has stated that it recognises the strain placed on some organisations by the coronavirus pandemic. For guidance on the ICO's advice to organisations and approach to enforcement in connection with the pandemic (including in relation to the reporting of personal data breaches), see Practice Note: The Information Commissioner’s Office (ICO)—Impact of coronavirus (COVID-19) on the ICO’s activities and approach to enforcement.

This Practice Note is intended to provide an overview of the laws and regulations relating to cybersecurity, with a particular focus on:

  1. the General Data Protection Regulation, Regulation (EU)