UK GDPR fines could be linked to NCSC engagement

Businesses found to have breached UK data protection laws when falling victim to cyber attacks could receive lower fines in respect of those infringements if they engage appropriately with the UK’s National Cyber Security Centre, under a new agreement between the NCSC and the Information Commissioner’s Office.

The memorandum of understanding signed between the two organisations commits the ICO to increasingly “recognise and incentivise appropriate engagement with the NCSC on cyber security matters in its approach to regulation”.

It said: “Specifically, the commissioner will publicise (on its website, in guidance, and in relevant press releases) that it looks favourably on victims of nationally significant cyber incidents who report to and engage with the NCSC and will consider whether it can be more specific on how such engagement might factor into its calculation of regulatory fines.”

Cyber risk experts Laura Gillespie and Stuart Davey of Pinsent Masons suggest that businesses should factor the MoU into their cyber incident response plans. Gillespie said: “The MOU builds on the working relationships already in place. The NCSC provides a range of tools to organisations in seeking to protect and prevent cyber incidents, which includes the cyber assessment framework. What organisations will be keen to understand is how the use of the CAF may be viewed and followed by the ICO.

“With the ICO to continue to recognise and incentivise appropriate engagement with the NCSC, organisations hit by cyber incidents will clearly need to consider appropriate engagement with law enforcement as part of their incident response plans.”

Davey said the MoU was noteworthy in other respects too, including because it explicitly records that the NCSC will not share information from an organisation it is engaged with due to a cyber incident with the ICO unless it has the consent of the organisation to do so. He added: “Organisations dealing with a live cyber incident may take some comfort that they can rely upon the NCSC’s expertise without any disclosure being shared with the regulator.”

    Share Story:


Deborah Ritchie speaks to Chief Inspector Tracy Mortimer of the Specialist Operations Planning Unit in Greater Manchester Police's Civil Contingencies and Resilience Unit; Inspector Darren Spurgeon, AtHoc lead at Greater Manchester Police; and Chris Ullah, Solutions Expert at BlackBerry AtHoc, and himself a former Police Superintendent. For more information click here

Modelling and measuring transition and physical risks
CIR's editor, Deborah Ritchie speaks with Giorgio Baldasarri, global head of the Analytical Innovation & Development Group at S&P Global Market Intelligence; and James McMahon, CEO of The Climate Service, a S&P Global company. April 2023