Cybersecurity—United Kingdom - England & Wales—Q&A guide [Archived, 2019 edition]

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • Cybersecurity—United Kingdom - England & Wales—Q&A guide [Archived, 2019 edition]
  • 1. Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
  • 2. Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
  • 3. Has your jurisdiction adopted any international standards related to cybersecurity?
  • 4. What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
  • 5. How does your jurisdiction define cybersecurity and cybercrime?
  • 6. What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
  • 7. Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
  • 8. Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
  • 9. Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
  • More...

Cybersecurity—United Kingdom - England & Wales—Q&A guide [Archived, 2019 edition]

This Practice Note contains a jurisdiction-specific Q&A guide to cybersecurity in United Kingdom - England & Wales published as part of the Lexology Getting the Deal Through series by Law Business Research (published: December 2019).

Authors: BCL Solicitors LLP—Michael Drury; Julian Hayes

1. Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

There is no dedicated comprehensive cybersecurity law in England and Wales. Rather, there are numerous statute-based laws, underpinned by the possibility of civil actions in common law. These:

  1. criminalise unauthorised interference with computers (the Computer Misuse Act 1990 (CMA));

  2. criminalise the interception of communications, including communications sent or received by computers (the Investigatory Powers Act 2016 (IPA));

  3. impose obligations to protect ‘personal data’ (rather than data more generally) by the application of security measures. The three key pieces of legislation are the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA), and the Network and Information Systems Regulation 2018 (NISR); and

  4. criminalise actions amounting to fraud (the Fraud Act 2006 (FA)) and infringing intellectual property rights (the Copyright, Designs and Patents Act 1988).

English law predominantly seeks to encourage cybersecurity by punishing breaches (notably failures by data controllers and processors to keep personal data secure) rather than by reward.

Acts that would otherwise be breaches of law are made

Popular documents