In May 2018, the General Data Protection Regulation ("GDPR") will come into force and contains a similar principle to that of the DPA, but also includes an express requirement (Art 32) to ensure the ongoing availability and resilience of processing systems and services. This latter requirement goes further than simply preventing the confidentiality or loss of data, and is enforced by a sanction of €10m or 2% of annual turnover (Art 32 is subject to the lower level sanction, not the higher 4%/€20m sanction).

Perhaps surprisingly, ransomware attacks may not fall within the scope of mandatory breach notification. A "personal data breach" means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Unless personal data is permanently lost or destroyed by the malware, or exfiltrated or accessed by the attacker, the requirement to notify would not be triggered.

However, there mere fact that data is inaccessible due to a ransomware attack could result in breach of data protection law and potentially high sanctions under the GDPR. It is critical, therefore, that organisations investigating such incidents consider their legal obligations and that forensic investigations are conducted with the benefit of legal privilege.

Organisations should regularly review that it has appropriate technical measures in place to safeguard systems and an effective breach response procedure in the event of a cyber security incident.

The ICO blog on ransomware, including top tips on prevention and recovery which can be accessed here.