What are the UK Laws and Regulations Pertaining to Data and Cyber Security?

Published by Marshal on

In the United Kingdom, several laws and regulations exist that relate to cybersecurity and data protection, which companies are required to comply with. Here are some key laws:

  1. General Data Protection Regulation (GDPR): Although the GDPR is an EU regulation, it has been incorporated into UK law through the Data Protection Act 2018. It sets out requirements for the processing and protection of personal data and imposes significant obligations on organizations handling such data.
  2. Data Protection Act 2018: This act complements the GDPR and provides additional provisions specific to the UK. It governs the processing of personal data, including cybersecurity measures, breach reporting, and data subject rights.
  3. Network and Information Systems Regulations 2018 (NIS Regulations): These regulations implement the EU Directive on security of network and information systems into UK law. They apply to operators of essential services (e.g., energy, transport, water, healthcare) and digital service providers (e.g., online marketplaces, cloud computing services). The NIS Regulations require these organizations to take appropriate security measures and report certain cybersecurity incidents.
  4. Computer Misuse Act 1990: This act covers offenses related to unauthorized access to computer systems, unauthorized access to data, and the creation and distribution of malware. It criminalizes activities such as hacking, denial-of-service attacks, and unauthorized modification of computer data.
  5. Privacy and Electronic Communications Regulations (PECR): PECR governs the use of electronic communications, including electronic marketing and the use of cookies and similar technologies. It requires organizations to obtain consent before sending direct marketing messages and provides rules for the use of cookies and similar tracking technologies.
  6. Investigatory Powers Act 2016: This act provides authorities with powers to conduct surveillance and access electronic communications and data in the interests of national security and the prevention and detection of crime. It establishes frameworks for the interception of communications, acquisition of communications data, and hacking by law enforcement and intelligence agencies.
  7. Official Secrets Act 1989: Covers unauthorized disclosure of official information that could harm national security, including cybersecurity-related information.
  8. Telecommunications (Security) Act 2021: Introduced to enhance the security and resilience of the UK’s telecommunications networks and supply chains. It establishes a security framework for telecommunications providers and grants powers to manage risks associated with the use of certain vendors’ equipment.
  9. National Cyber Security Centre (NCSC) Guidance: Although not a law, the NCSC provides comprehensive guidance and best practices on various aspects of cybersecurity. It offers practical advice for organizations to protect their systems and data.
  10. UK eIDAS (Electronic Identification and Trust Services for Electronic Transactions Regulations 2016). The Regulation, covers UK services that verify UK citizens’ identity and businesses online, as well as the authenticity of their electronic records and documents.

It is important for companies to understand and comply with these laws to protect their systems, data, and the privacy rights of individuals. However, it’s worth noting that laws and regulations can change over time, so it’s essential to consult official sources and legal professionals to ensure compliance with the most up-to-date requirements.

Global Cybersecurity Regulations

There are also other global cybersecurity regulations and frameworks that many UK businesses and organizations actively follow. However, businesses are not obliged to follow them under UK law, for example:

HIPAA
HIPAA (Health Insurance Portability and Accountability Act of 1996) is specific to US healthcare organizations that handle PHI (protected health information), such as patient or medical records. This law also applies to any business associates, service providers, or vendors that may work with the institution and handle sensitive medical information.

HECVAT
HECVAT (Higher Education Community Vendor Assessment Toolkit) is a security framework designed to help higher education institutions to manage their third party vendor risk. These colleges and universities may work with dozens or hundreds of vendors that require a standardized method to properly assess risk and security awareness. Although HECVAT is not mandated at the federal level, many schools are establishing it as a requirement when determining business partnerships.

NIST
Perhaps one of the most widely used frameworks for up-and-coming organizations, the NIST (National Institute of Standards and Technology) Cybersecurity Framework (NIST CSF) is a set of general guidelines, standards, and best practices to mitigate cyber risks. NIST compliance is completely voluntary but provides an excellent framework for businesses to build stronger IT infrastructures and security policies.

GLBA
The Gramm-Leach-Bliley Act (GLBA) is a US data security and privacy law that requires financial institutions to implement and disclose their data protection policies. The data security program must include the nature and scope of its data handling activities and identify all risks involved in the institution’s operations.

FISMA
FISMA (Federal Information Security Management Act of 2002) is a US federal law that requires all federal agencies to develop an adequate information security program to protect any sensitive data that it collects and handles. FISMA also applies to state-level agencies administering federal programs and third-party providers contracted by federal agencies

ISO/IEC 27001
ISO 27001 is a global standard for information security management and defines a framework for implementing, maintaining, and improving an organization’s information security program. ISO 27001 helps organizations establish policies and procedures to better manage and protect sensitive information. This framework is often used to meet compliance requirements of other cybersecurity regulations.

PCI DSS
The PCI (Payment Card Industry) DSS (Data Security Standards) is a global information security standard that regulates all businesses that handle credit card transactions. The aim is to reduce and prevent credit card fraud by securing the three stages of credit card data: processing, storage, and transfer.

GDPR
The GDPR (General Data Protection Regulation) regulates data privacy and protection for all countries within the EU (European Union) and European Economic Area. It is the official legal standard that applies to any business or organization that collects identifiable data of an EU citizen for professional or commercial purposes. The GDPR framework has also been adopted in many other non-European countries around the world.

//

Marshal’s Recruitment Channel provides the means for you to scale your Cyber Security Teams in the following ways.

  1. SaaS “End to to End” Recruitment Application: build and manage a Talent Pool.
  2. Recruitment Projects: Tap directly into the Marshal network to access applicant data for ad hoc recruitment needs, in a “pay as you go” format.
  3. Executive Search: fully outsourced recruitment process, operating on a placement fee basis.

Contact Us for more details. 

Categories: Resilience