Data breaches, sanctions and enforcement

This subtopic discusses managing a data security breach involving personal data as well as sanctions and enforcement actions by the Information Commissioner’s Office (ICO) under the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR). This Overview provides a high-level introduction to the subtopic and signposts more detailed guidance housed within it.

Assimilated law is the name given to retained EU law (REUL) which remains in force after the end of 2023, such as the UK GDPR. The re-categorisation of REUL (and associated terms) to assimilated law reflects a change in its status and treatment under UK law, in that it is generally to be interpreted according to ordinary domestic law and principles. From 1 January 2024, REUL is ‘assimilated’ into domestic law by virtue of the fact it is generally stripped of EU-derived interpretive effects (eg supremacy of EU law, directly effective rights, and general principles previously retained under the European Union (Withdrawal) Act 2018). For more information, see Practice Note: Assimilated law and News Analysis: Implications of the move to ‘assimilated’ law, and the Retained EU Law (Revocation and Reform)

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

What do legal teams need to know about AI standards?

TMT analysis: This analysis considers the role of technical standards in the ICT sector and in particular in relation to artificial intelligence (AI). It discusses some of the standards that have been developed relevant to AI, the project to create standards under the EU AI Act and the UK government’s approach. It also considers how standards can be leveraged by customers procuring AI systems, both internally and in contract negotiations. Written by Dr Sam De Silva, partner and global co-head of the Commercial Practice Group, CMS Cameron McKenna Nabarro Olswang LLP.

Cabinet Office updates PPN 013: Using standard contracts

The Cabinet Office has updated Procurement Policy Note 013: Using standard contracts (PPN 013), which provides in-scope organisations with guidance on standardisation of terms and conditions in public contracts. PPN 013 applies to all central government departments, their executive agencies and non-departmental public bodies. Other public sector contracting authorities may wish to apply the guidance. PPN 013 has been updated to expand the appropriate use of the Short Form Contract, allowing in-scope organisations to utilise the Short Form Contract for non-complex above-threshold procurements, within the relevant limits, where it is proportionate and appropriate to do so. In these cases, authorities are advised to consider including additional clauses from the Mid-Tier Contract to cover required terms which are missing from the Short Form Contract. PPN 013 has also been updated to reflect terminology introduced by the Procurement Act 2023 (PA 2023) and the Procurement Regulations 2024. For procurements commenced before the PA 2023 go-live on 24 February 2025, authorities should continue to refer to PPN 08/23.

Cabinet Office updates PPNs on data protection and payment spot checks

The Cabinet Office has added two new Procurement Policy Notes (PPNs) to the suite of PPNs republished in conjunction with the Procurement Act 2023 (PA 2023) go-live—PPN 020: Guidance on data protection legislation and PPN 021: Payment Spot Checks in Public Sub-Contracts. PPN 020: Guidance on data protection legislation provides updated guidance on relevant data protection requirements under the UK GDPR and the UK International Data Transfer Agreement (IDTA) governing the export of personal data from the UK. PPN 020 applies with immediate effect. It replaces PPN 03/22 which contained streamlined guidance and updated model clauses to take account of the UK’s exit from the EU. It also includes guidance on international transfers of personal data. PPN 020 does not constitute a change in policy, but in-scope organisations should circulate and adhere to the guidance and use the updated model clauses at Annex A for new contracts. PPN 021: Payment Spot Checks in Public Sub-Contracts provides guidance and templates for contracting authorities to spot check public contract supply chains to ensure suppliers meet the payment terms set out in PA 2023. PPN 021 includes additional guidance on how in-scope organisations should conduct spot checks to ensure the correct payment terms are being included and adhered to by suppliers, plus model terms at Annex A which support spot checks being carried out. PPN 021 applies from 1 October 2025. Both PPNs apply to all central government departments, their executive agencies and non-departmental public bodies.

ICO fines compensation firm £90,000 for PECR marketing call breaches

The Information Commissioner's Office (ICO) has imposed a £90,000 fine on AFK Letters Co Ltd for breaching the Privacy and Electronic Communications Regulations (PECR) between January and September 2023. The enforcement action addressed 95,277 unsolicited marketing calls to Telephone Preference Service registrants, inadequate consent records, and non-compliant third-party data collection. The case highlights the ICO's interpretation of Regulation 21 requirements for valid marketing consent and proper record-keeping obligations.

View Information Law by content type :

News