Looking Ahead: the UK cyber landscape in 2021
As we approach the end of an unprecedented year, we look ahead to the next twelve` months. In addition to the ongoing strain on company resources caused by the pandemic, we expect companies operating in the UK and their insurers will face additional data protection burdens in 2021. Our prediction is that companies operating in the UK and their insurers must be prepared for additional regulatory obligations and group actions in 2021, as outlined below.
The UK’s transition period for exiting the European Union ends on 31st December 2020, and companies and their insurers should be aware of changes to data protection obligations after 1 January 2021, since: (1) the ICO no longer will qualify as a lead EU data protection authority; and (2) the UK will implement a UK GDPR (on essentially the same terms as the existing GDPR, but altered to accommodate domestic law).
These changes mean:
- Companies which have operations in the UK as well as other EU countries will be required to notify both the ICO and the lead EU data protection authority of a data breach incident, and also may be subject to two separate fines/penalties, leading to increased obligations and exposure for such organisations and their insurers.
- UK-based companies will be required to appoint EU GDPR representative, while EU-based companies will need to appoint a UK GDPR representative.
- At the time of writing, the EU is still conducting a data adequacy assessment of the UK to determine whether UK companies can maintain the free flow of personal data into the UK from Europe. To the extent adequacy cannot be reached, UK organisations will need to have an alternative transfer mechanism in place, such as Standard Contractual Clauses (SCCs).
Based on our experience in 2020, we expect to see an increase in UK group actions arising from data breaches in 2021. In 2020, the Blackbaud incident impacted large numbers of educational institutions on both sides of the pond. While there have been relatively few claims brought against US institutions, most UK institutions impacted by the Blackbaud incident have received claims from personal injury firms acting on behalf of impacted individuals, seeking damages for distress. This is particularly notable because the US generally is considered to be far more litigious than its UK cousins. We consider this to be a strong indication that the UK will start to see more group actions arising from data breaches, even where no actual harm is alleged.
Charlotte specialises in advising insurers on UK and US data privacy and cyber incidents. Atheria will follow these developments with interest and we welcome inquiries if there are questions in the interim.