Data and cyber

Contact: Jon Bartley and Richard Breavington

Data and cyber

New Cyber Governance Code launches to protect businesses

The Department for Science, Innovation and Technology has unveiled a new Cyber Governance Code of Practice aimed at helping company directors strengthen their organisations' online defences against growing cyber threats.

The Code, developed with the National Cyber Security Centre and industry leaders, outlines key actions boards should take, including implementing cyber strategies, fostering security-conscious cultures, and establishing incident response plans. This guidance addresses significant gaps, as a third of large businesses lack formal cyber strategies and almost half of medium firms operate without incident response plans.

The initiative complements recently announced cyber security legislation aimed at protecting supply chains, critical services, and IT providers. It includes supplementary documents mapping the Code to established cyber standards such as the NCSC's Cyber Assessment Framework.

Find out more

The Cyber Security and Resilience Bill – policy statement

The Cyber Security and Resilience Bill, outlined in a policy statement on 1 April 2025, expands the UK's cyber regulatory framework. It builds on the existing NIS (Network and Information Systems) Regulation currently in effect in the UK, bringing it more into line with the NIS2 regime being brought into force across the EU. The measures will have increased scope – encompassing, for example, Managed Service Providers. For those organisations which are in scope, it will introduce increased technical security obligations, including in relation to supply chain security. Incident reporting rules will also be tightened – requiring entities in scope to notify their regulator and the National Cyber Security Centre within 24 hours of becoming aware of a significant incident. The ICO will be given enhanced powers to gather information, and regulators can establish new fee regimes. Whilst the new duties will potentially increase compliance costs, the intention is to boost national cyber resilience in key areas of infrastructure amid evolving threats.

Find out more

Data and cyber

The Data (Use and Access) Bill progresses to House of Commons

The Data (Use and Access) Bill (DUA), introduced to Parliament in October 2024, has progressed to the House of Commons with key amendments. The amendments include: requiring organisations processing children’s data to consider new “higher protection matters” under Article 25 of the UK GDPR; amending PECR 2003 which extends the “soft opt-in” exemption for marketing emails to charities; mandating transparency from AI developers and web crawlers regarding copyright use; criminalising the creation of sexual deepfakes without consent; and requiring the ICO to develop codes of practice for AI decision-making and to regulate web crawler transparency. The ICO supports most changes but seeks clarity on children's data protection and plans to work with the government to assess its expanded responsibilities so it can "properly assess and account for the implications" of the new legislation.

Find out more

Data and cyber

Cyber_Bytes – Issue 73

Cyber_Bytes is RPC's regular round-up of key developments in cyber, tech and evolving risks. This edition includes:

ICO's first fine against data processor
Cyber Security and Resilience Bill: policy statement published
UK data reform bill will be ready this spring, minister says
UK under-prepared for catastrophic cyber attack
Europol warns against use of AI in cyber attacks
Hambro Perks, now Salica Investments, to pay £2mn for stealing confidential information

Find out more

Data Dispatch – April 2025

The latest edition of Data Dispatch from the Data Advisory team at RPC is to provides summary of key developments in data protection law. This edition includes:

ICO launches investigations into use of children's data by social media and video-sharing platforms
CJEU - Data protection fines imposed on a subsidiary must be determined based on the total annual revenue of its parent company
ICO issues first fine against data processor for security failings
RPC's Data Download Event: Insights from the ICO
Other important developments including the ICO finalising its guidance on anonymisation and pseudonymisation and the launch of the EDPB's 2025 Coordinated Enforcement on the Right to Erasure

Find out more