Getting the Deal Through provides international expert analysis in key areas of law, practice and regulation for corporate counsel, cross-border legal practitioners, and company directors and officers.
Below is a short extract from the England & Wales chapter*, which you can read in full on the Lexology website here:
Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
There is no dedicated comprehensive cybersecurity law in England and Wales. Rather, there are numerous statute-based laws, underpinned by the possibility of civil actions in common law. These:
- criminalise unauthorised interference with computers (the Computer Misuse Act 1990 (CMA));
- criminalise the interception of communications, including communications sent or received by computers (the Investigatory Powers Act 2016 (IPA));
- impose obligations to protect ‘personal data’ (rather than data more generally) by the application of security measures. The three key pieces of legislation are the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA), and the Network and Information Systems Regulation 2018 (NISR); and
- criminalise actions amounting to fraud (the Fraud Act 2006 (FA)) and infringing intellectual property rights (the Copyright, Designs and Patents Act 1988).
English law predominantly seeks to encourage cybersecurity by punishing breaches (notably failures by data controllers and processors to keep personal data secure) rather than by reward.
Acts that would otherwise be breaches of law are made lawful where conducted by state agencies principally in the interests of national security and for the prevention and detection of serious crime in accordance with the authorisation regimes established under the IPA, the Police Act 1997 and the Intelligence Services Act 1994.
The GDPR applies to personal data processing carried out by organisations operating within the EU and those operating outside the EU that offer goods or services to individuals in the EU. It does not apply to processing carried out for law enforcement purposes or national security purposes, or to purely domestic or household processing by individuals. Data controllers must also be able to demonstrate compliance with seven high-level data protection principles. The Information Commissioner’s Office (ICO) has provided guidance amplifying these principles. Breach of them can lead to the imposition of substantial administrative fines imposed by the ICO. The regulator may also prosecute offenders in the criminal courts for offences under the DPA and has consulted on whether it should have powers under the Proceeds of Crime Act 2002 to prevent criminals benefitting from data-related offences.
If you wish to read the Cybersecurity 2020 Guide in full it can be found here
*Reproduced with permission from Law Business Research Ltd. This article was first published in Getting the Deal Through – Cybersecurity 2020 (Published: March 2020). For further information please visit www.gettingthedealthrough.com.