Navigating the Regulatory Landscape for Data Protection and Cybersecurity
The world of data protection and cybersecurity is in a state of fast evolution, driven by increasing regulatory demands and emerging threats.
For businesses operating in the UK and EU specifically, staying ahead of these changes is no longer optional - it is a critical component of survival and success in the digital age.
The Growing Challenges in Cybersecurity
As we start 2025, the regulatory and threat landscapes are becoming more complex. The 2024 Cybersecurity Breaches Survey revealed a stark reality, that half of UK businesses (50%) and a third of charities (32%) reported cyberattacks or breaches in the past 12 months. Emerging threats such as AI-driven cyberattacks, exploited Internet of Things, hardware/devices, and supply chain vulnerabilities demand a proactive and resilient stance. No business can afford complacency.
The EU Cyber Resilience Act (CRA): A Game-Changer for Digital Products
On October 10, 2024, the EU Council adopted the Cyber Resilience Act (CRA), setting a new gold standard for cybersecurity in products with digital components.
The CRA mandates:
- Ongoing security support:
Manufacturers must ensure long-term security updates, with some products requiring updates for a minimum of 10 years.
- Stricter scrutiny for critical products:
Smart meters*, VPNs*, and similar products face rigorous conformity assessments and cybersecurity certifications. - Severe penalties for non-compliance:
Non-compliance comes with hefty fines, compelling businesses to prioritise adherence.
Although Brexit means the UK is not directly bound by EU regulations, the CRA will still impact UK businesses manufacturing or selling digital products in the EU. For UK firms, this dual-regulation environment underscores the importance of integrating EU and UK compliance strategies.
Landmark Cases and Data Protection Battles
The ongoing legal dispute between the Information Commissioner's Office (ICO) and DSG Retail Limited highlights the nuanced challenges in data protection. The ICO is appealing a tribunal judgment that limits organisations’ responsibility for protecting pseudonymised data, such as isolated credit card details. This case, stemming from a 2020 breach affecting 14 million people, could reshape how organisations handle and classify personal data, setting a precedent with far-reaching implications for businesses. As of now, the ICO awaits the Upper Tribunal's decision on granting permission to appeal. The progression of this case is pivotal in shaping future data protection standards and organisational responsibilities. At Wright Hassall, we are keeping a close eye on developments in this case and will keep you updated.
AI and Emerging Tech in the Spotlight
Innovation comes with its own set of regulatory challenges:
- AIME Tool for AI Compliance: The Department for Science, Innovation & Technology (DSIT) launched the AI Management Essentials (AIME)tool in late 2024. Designed to help SMEs self-assess AI management practices, this tool simplifies compliance with emerging regulations, such as the EU AI Act.
- Privacy Enhancing Technologies (PETs): The ICO and DSIT also introduced a financial analysis tool to promote PET adoption, enabling businesses to implement advanced privacy measures like homomorphic encryption.
Online Safety and Generative AI
The Online Safety Act (OSA) takes a firm stance on Generative AI (GenAI) and chatbots. Ofcom’s November 2024 letter warns online service providers of their obligations to regulate GenAI content, equating it with human-generated content. Businesses must prepare for Illegal Harms Risk Assessments and follow forthcoming guidelines to avoid financial penalties.
The Data (Use and Access) Bill: Enhancing Privacy Protections
The Data (Use and Access) Bill (DUAB), introduced in October 2024, introduces significant changes, including:
- Extended cookie consent rules to strengthen consumer rights.
- Enhanced enforcement powers for the ICO.
- New rights for data subjects to complain directly to controllers.
This legislation reinforces the need for businesses to prioritise privacy measures into systems and processes from the outset and develop robust data protection strategies.
Why a Proactive Approach Matters
In an era where 60% of data breaches stem from human error, businesses with effective training and awareness programs report significantly fewer incidents.
How Wright Hassall Can Help
At Wright Hassall, we understand the intricacies of this evolving regulatory landscape.
Our services include:
- Regulatory compliance guidance tailored to your business needs.
- Privacy policy development and risk assessments.
- Support with international data transfer challenges post-Brexit.
As digital threats evolve and regulations tighten, businesses must stay informed, agile, and prepared. Partnering with us ensures that you’re not just meeting legal requirements but also building a resilient and innovative future. Please contact a member of our Commercial team for further assistance.
The information provided in this article is provided for general information purposes only, and does not provide definitive advice. It does not amount to legal or other professional advice and so you should not rely on any information contained here as if it were such advice.
Wright Hassall does not accept any responsibility for any loss which may arise from reliance on any information published here. Definitive advice can only be given with full knowledge of all relevant facts. If you need such advice please contact a member of our professional staff.
The information published across our Knowledge Base is correct at the time of going to press.
