Data breaches, sanctions and enforcement

Copyright © 2025 LexisNexis

This subtopic discusses managing a data security breach involving personal data as well as sanctions and enforcement actions by the Information Commissioner’s Office (ICO) under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). This Overview provides a high-level introduction to the subtopic and signposts more detailed guidance housed within it.

For an introduction to the UK GDPR regime generally, including the data protection principles, terminology, territorial scope, its development from the EU GDPR, and applicability, see: Data protection regime—overview and its associated subtopic.

Guidance on equivalent topics under the EU General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), is available in our EU Law practice area, see: EU GDPR regime (EU Law)—overview.

Position under the UK GDPR

For an introduction to the UK GDPR and key terminology generally, see:

  1. Data protection toolkit

  2. Practice Note: The UK General Data Protection Regulation (UK GDPR)

  3. Practice Note: Key definitions under UK data protection law

Data protection principles under the UK GDPR

The data protection principles under the UK GDPR include the following which are set out in

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Information Law News

ICO launches strategy to regulate AI and biometrics

The Information Commissioner’s Office (ICO) has launched a strategy to intensify regulatory oversight of AI and biometric technologies, focusing on ensuring responsible use of personal data. The strategy will scrutinise the use of automated decision-making systems in recruitment, facial recognition technology by police, and the use of personal data in training generative AI models. It also includes developing a statutory code of practice for responsible AI and examining emerging risks such as agentic AI. The ICO aims to support innovation while reinforcing public trust, and plans to consult on updated guidance and produce a horizon scanning report over the coming year.

UK Data (Use and Access) Bill facing collapse risk over Parliament’s AI copyright challenge

MLex: The UK’s Data (Use and Access) Bill faces increasing risk of collapse after the House of Lords again pushed forward an amendment to include in it protections for rights holders over their works being scraped for AI training. The House of Lords lawmaker who brought the amendment, which calls on the government to bring dedicated draft legislation on the issue, said their intent was not to kill the Bill but to push the government to respond by proposing its own amendment.

EDPB adopts final guidelines on third country authority data transfer requests

The European Data Protection Board (EDPB) has adopted final guidelines clarifying the application of Article 48 of Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)) regarding data transfers to non-European authorities. The guidelines establish that third country authority decisions require international agreements for automatic recognition in Europe. Where no such agreements exist, alternative legal bases may be considered in exceptional circumstances. The guidelines include new provisions addressing processor-specific scenarios and parent-subsidiary data transfer requests where the parent company is located in a third country.

EDPB adopts final guidelines on GDPR third country data transfer rules

The European Data Protection Board (EDPB) has adopted final guidelines clarifying Article 48 of Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)) regarding data transfers to third country authorities. The guidelines establish that judgements from non-European authorities cannot automatically be enforced in Europe, requiring either an international agreement providing legal basis and transfer grounds, or consideration of alternative legal bases in exceptional circumstances. The updated guidelines include new clarifications on processor obligations and parent company-subsidiary data transfer scenarios. The EDPB has also launched two Support Pool of Experts training initiatives addressing artificial intelligence compliance and data protection requirements.

View Information Law by content type :
News
Practice notes
Precedents
Q&As

Popular documents

The UK General Data Protection Regulation (UK GDPR)—Navigator

The UK General Data Protection Regulation (UK GDPR)—Navigator [Archived]ARCHIVED: This Practice Note is not maintained and is for background information only. This archived Practice Note i) provides navigational information on the UK GDPR and accompanying Data Protection Act 2018 and ii) briefly

If a rentcharge is shown as being informally exonerated on title information, does this apply to the

If a rentcharge is shown as being informally exonerated on title information, does this apply to the current registered owner? Or does the informal exoneration only apply to the parties to the document which informally exonerated the rentcharge?This Q&A considers the situation where, at some

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?A limited company having a share capital may not alter that share capital, except in the ways listed in section 617 of the Companies Act 2006 (CA 2006). Shares in a company cannot simply be cancelled without following an
The UK General Data Protection Regulation (UK GDPR)—Navigator

The UK General Data Protection Regulation (UK GDPR)—Navigator

The UK General Data Protection Regulation (UK GDPR)—Navigator [Archived]ARCHIVED: This Practice Note is not maintained and is for background information only. This archived Practice Note i) provides navigational information on the UK GDPR and accompanying Data Protection Act 2018 and ii) briefly

If a rentcharge is shown as being informally exonerated on title information, does this apply to the

If a rentcharge is shown as being informally exonerated on title information, does this apply to the

If a rentcharge is shown as being informally exonerated on title information, does this apply to the current registered owner? Or does the informal exoneration only apply to the parties to the document which informally exonerated the rentcharge?This Q&A considers the situation where, at some

Late payment penalties—inheritance tax

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?A limited company having a share capital may not alter that share capital, except in the ways listed in section 617 of the Companies Act 2006 (CA 2006). Shares in a company cannot simply be cancelled without following an