At its annual conference, CYBERUK, the National Cyber Security Centre (the “NCSC”), pledged not to pass on confidential information about cyberattacks to the UK Information Commissioner’s Office (the “ICO”) without the consent of the affected organization. This commitment is an attempt to reassure organizations, encouraging them to report and seek assistance in the event of a cybersecurity incident.
The NCSC, the UK government’s cybersecurity agency, is responsible for managing cybersecurity incidents of national importance. The NCSC engages directly with victims to understand the nature of an incident and provides free and confidential advice to help mitigate the incident’s impact in the immediate aftermath. The ICO is the UK’s independent data protection regulator with responsibility for the monitoring and enforcement of the EU General Data Protection Regulation (the “GDPR”), and is also the competent authority for Digital Service Providers under the Network and Information Systems (“NIS”) Directive. While there is no obligation to notify the NCSC of a cybersecurity incident, there are requirements to notify the ICO, under both the GDPR and NIS Directive, in the event of a cyber incident, and to take certain remedial action.
At the CYBERUK conference, the NCSC and the ICO also outlined the distinct roles and responsibilities of the organizations, and the understanding between them. Among other things, the NCSC and the ICO emphasized greater clarity on the separate roles and responsibilities of each organization after a cybersecurity incident, making it easier for a victim to deal with the right authority at the right time.
In addition to the responsibilities outlined above, the NCSC confirmed that it would (1) help the ICO expand the GDPR guidance it provides to businesses regarding cybersecurity incidents and (2) encourage organizations that have been affected by cybersecurity incidents to meet their requirements under the GDPR and the NIS Directive. Meanwhile, the ICO confirmed that it would (1) develop the support it provides to help affected organizations mitigate risks to individuals and launch effective investigations and (2) ensure that organizations have adequately protected any personal data put at risk and properly met their legal responsibilities.
While outlining their individual responsibilities, both organizations have agreed to share anonymized and aggregated information to better understand risk, and to promote each other’s position in order to provide consistent advice.