Shorter Reads

Royal Mail cybersecurity incident a reminder of the international reach of the UK GDPR

A cybersecurity incident caused ‘severe disruption’ to Royal Mail’s international export services, leaving it incapable of despatching items to destinations outside of the United Kingdom.

1 minute read

Published 11 January 2023

Authors

Share

Key information

Royal Mail (part of International Distributions Services Plc)  announced yesterday afternoon that a cybersecurity incident had caused ‘severe disruption’ to its international export services, leaving it incapable of despatching items to destinations outside of the United Kingdom.

According to BBC News, regulators have been informed of the incident. One of these will inevitably be the UK’s data protection watchdog, the Information Commissioner’s Office (ICO). Under the UK GDPR, the ICO must be informed in the event of a personal data breach (i.e. a security incident that has affected the confidentiality, integrity, or availability of personal data) where this entails a likely risk to the rights and freedoms of the individuals whose personal data is compromised. The breach must be notified to the ICO without undue delay, but in any event within 72 hours of becoming aware of it.

But why is notification in this scenario likely to be required if this concerns deliveries to recipients overseas? The answer is that the UK GDPR is not restricted geographically. Even though in this case all the recipients will be located overseas, the processing of their personal data by Royal Mail is taking place within the United Kingdom. As such, the UK GDPR automatically governs Royal Mail’s processing of their personal data, even though the recipients are not in Britain.

For similar reasons, the EU GDPR continues to apply to British businesses in respect of their handling of personal data of individuals located in the European Economic Area (EEA), notwithstanding Brexit. This is why the Royal Mail’s own privacy policy specifically makes reference to a European data protection representative, which is a requirement for any UK business that offers goods or services to (or monitors the behaviour of) EEA-based individuals.

Yesterday’s incident will be particularly unwelcome for Royal Mail in terms of timing. Not only does this follow weeks of disruption to its operations as a result of strike action, but also comes soon after a data breach in November 2022. The ICO is therefore likely to be keeping a close eye on the organisation’s endeavours to improve the sophistication of its information security measures.

Message us with any questions

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Shorter Reads

Royal Mail cybersecurity incident a reminder of the international reach of the UK GDPR

A cybersecurity incident caused ‘severe disruption’ to Royal Mail’s international export services, leaving it incapable of despatching items to destinations outside of the United Kingdom.

Published 11 January 2023

Associated sectors / services

Authors

Royal Mail (part of International Distributions Services Plc)  announced yesterday afternoon that a cybersecurity incident had caused ‘severe disruption’ to its international export services, leaving it incapable of despatching items to destinations outside of the United Kingdom.

According to BBC News, regulators have been informed of the incident. One of these will inevitably be the UK’s data protection watchdog, the Information Commissioner’s Office (ICO). Under the UK GDPR, the ICO must be informed in the event of a personal data breach (i.e. a security incident that has affected the confidentiality, integrity, or availability of personal data) where this entails a likely risk to the rights and freedoms of the individuals whose personal data is compromised. The breach must be notified to the ICO without undue delay, but in any event within 72 hours of becoming aware of it.

But why is notification in this scenario likely to be required if this concerns deliveries to recipients overseas? The answer is that the UK GDPR is not restricted geographically. Even though in this case all the recipients will be located overseas, the processing of their personal data by Royal Mail is taking place within the United Kingdom. As such, the UK GDPR automatically governs Royal Mail’s processing of their personal data, even though the recipients are not in Britain.

For similar reasons, the EU GDPR continues to apply to British businesses in respect of their handling of personal data of individuals located in the European Economic Area (EEA), notwithstanding Brexit. This is why the Royal Mail’s own privacy policy specifically makes reference to a European data protection representative, which is a requirement for any UK business that offers goods or services to (or monitors the behaviour of) EEA-based individuals.

Yesterday’s incident will be particularly unwelcome for Royal Mail in terms of timing. Not only does this follow weeks of disruption to its operations as a result of strike action, but also comes soon after a data breach in November 2022. The ICO is therefore likely to be keeping a close eye on the organisation’s endeavours to improve the sophistication of its information security measures.

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.