It’s about protecting citizens’ personal data when it’s being processed or moved.  

UK GDPR requires that personal data must be processed securely using appropriate technical and organisational measures. The regulation does not mandate a specific set of cybersecurity measures, but rather expects ‘appropriate’ action. What is appropriate for each organisation will depend upon their circumstances, as well as the data processed and therefore the risks posed.

UK GDPR places a direct responsibility on companies to prove they comply with the principles of the regulation. This means firms must commit to mandatory activities such as staff training, internal data audits and keeping detailed documentation. Breaches must be reported to the relevant authorities within 72 hours of the incident.

The NIS Directive aims to raise levels of the overall security and resilience of network and information systems across the EU. It applies to companies and organisations identified as:

·       Operators of Essential Services (OES).

·       Outsourced IT and managed service providers (MSPs).

·       Essential service providers, such as energy, transport, healthcare and water companies. Also, providers of important digital services, such as cloud computing and online search engines.

The regulatory responsibilities are carried out by Competent Authorities (CAs). The criteria for identifying OES and the list of CAs in the UK are in the NIS Regulations. 

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) complements the general data protection regime. It sets out more specific privacy rights on electronic communications. 

It also recognises that widespread public access to digital mobile networks and the internet opens up new possibilities for businesses and users, but also new risks to their privacy. 

A business that sends electronic marketing or uses cookies (or similar technologies) must comply with both PECR and the UK GDPR. This includes, but is not limited to, websites, emails and SMS; and keeping communications services secure; and customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

The UK government's AI Regulation White Paper of August 3, 2023 - and its written response of February 6, 2024 - indicated that the UK did not intend to use broad AI regulation that covers all industries (known as horizontal regulation).

Instead, the government supported a "principles-based framework" where regulators in specific industries will interpret how best to use AI, and what to provide rules for.

The White Paper also indicated that there are no existing plans to establish a central AI regulator either.

However, on July 17, 2024, the King’s Speech proposed a set of binding measures on AI, which deviates from the previous agile and non-binding approach. Specifically, the government plans to establish "appropriate legislation to place requirements on those working to develop the most powerful AI models". The Digital Information and Smart Data Bill was also announced, which will be accompanied by reforms to data-related laws, to support the safe development and deployment of new technologies (which may include AI). It is not yet clear exactly how this will be implemented.

The information here is not, and doesn’t intend to be, legal advice.

All information, content, and materials are for general information only. The information may not be the most up-to-date, legally or otherwise and may not be exhaustive. This website contains links to other websites – these are for convenience; Brit does not recommend or endorse the contents of the third-party sites.