United Kingdom: Implemented UK GDPR including cybersecurity regulation

On 1 January 2021, the United Kingdom General Data Protection Regulation (UK GDPR), including cybersecurity regulation, entered into force. In accordance with the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, the UK GDPR is the national version of the EU's GDPR, amended to be in line with the UK legal system, which remains in force after UK's full withdrawal from the EU at the end of 2020. The UK GDPR sets out general rules regarding the processing of personal data, sharing, in many respects, the structure of the EU GDPR. The UK GDPR requires data protection by design and default. Further, it sets out cybersecurity requirements for personal data controllers and processors, who must take risk-appropriate technical and organisational cybersecurity measures. Such measures could include encryption, ensuring the integrity of processing systems, restoring personal data in case of incidents, and regular testing processes. Breaches likely to result in risks to the rights and freedoms of natural persons are to be reported to the Information Commissioner's Office (ICO) within 72 hours. High-risk breaches should also be communicated to data subjects.