New UK Cyber Action Plan: What It Means for Public Services and Data Protection

The UK government has announced a new Cyber Action Plan aimed at tackling growing cyber threats and strengthening the resilience of public services. The plan responds to increasing cyber attacks on councils, healthcare providers, and other public bodies that hold large volumes of sensitive personal data.

For organisations across the public sector, this announcement reinforces a clear message. Cyber security is no longer just an IT issue. It is a core data protection and governance responsibility.

Why This Matters Now

Cyber attacks against public services are rising in both frequency and impact. Recent incidents have disrupted councils, NHS organisations, and critical infrastructure, affecting millions of people.

The government has acknowledged that cyber threats now pose a direct risk to service delivery, public trust, and personal data security. The new Cyber Action Plan aims to reduce that risk by improving prevention, response, and accountability across the public sector.

From a data protection perspective, this matters because most cyber incidents involve personal data. When systems fail, individuals can suffer financial loss, identity theft, or loss of access to essential services.

What the New Cyber Action Plan Sets Out

The Cyber Action Plan focuses on strengthening defences across public services and supporting organisations that are most exposed to cyber threats.

Key areas of focus include:

• Improving cyber resilience across public sector bodies
• Strengthening incident response and recovery capabilities
• Reducing reliance on outdated and vulnerable systems
• Supporting organisations to meet minimum cyber security standards
• Improving collaboration between government, regulators, and security agencies

The plan also highlights the role of leadership. Senior decision-makers will be expected to take greater responsibility for cyber risk and data protection.

Cyber Security and Data Protection Are Linked

Cyber security and data protection cannot be separated. UK GDPR requires organisations to implement appropriate technical and organisational measures to protect personal data.

A failure to prevent or respond to a cyber attack can quickly become a personal data breach. This can trigger regulatory investigations, enforcement action, and reputational damage.

The Cyber Action Plan reinforces the importance of:

• Strong access controls and monitoring
• Regular patching and system updates
• Secure configuration of systems handling personal data
• Clear accountability for cyber risk at senior level

These measures directly support compliance with UK GDPR’s security and accountability principles.

What This Means for Public Sector Organisations

Public bodies should view the Cyber Action Plan as a call to action. Organisations will be expected to demonstrate that they take cyber risk seriously.

This includes understanding what personal data they hold, where it is stored, and how it is protected. It also means preparing for incidents, not just reacting to them.

Key steps organisations should consider include:

• Reviewing cyber security and data protection governance
• Carrying out risk assessments and DPIAs for high-risk systems
• Testing incident response and business continuity plans
• Ensuring staff receive regular cyber and data protection training
• Engaging senior leaders in cyber risk ownership

Our GDPR Audits and Data Protection Support services help public bodies identify gaps and strengthen resilience.

Regulatory Expectations and Enforcement

Regulators have made it clear that cyber incidents will be assessed through a data protection lens. Where organisations fail to implement appropriate security measures, enforcement action may follow.

The ICO has repeatedly stated that poor cyber security can amount to a breach of UK GDPR. The Cyber Action Plan supports this position by emphasising prevention, accountability, and preparedness.

Organisations that cannot evidence effective controls, training, and governance may struggle to defend their position following an incident.

Our View

At Data Protection People, we welcome the Cyber Action Plan. It recognises that cyber resilience is essential to protecting personal data and maintaining public trust.

However, strategy alone is not enough. Real improvement comes from practical action. Organisations must move beyond policy documents and ensure controls work in practice.

You Should embed Cyber Security into everyday operations, decision-making, and culture. When organisations treat cyber risk as part of data protection governance, they are far better placed to prevent harm.

FAQs

Does the Cyber Action Plan replace UK GDPR obligations?

No. UK GDPR still applies. The plan supports and reinforces existing data protection duties.

Who does the plan affect?

The plan focuses on public services, but its principles apply to any organisation handling sensitive personal data.

What should organisations do first?

Start by reviewing cyber risks, governance, and incident response arrangements.

Contact Us

If your organisation needs support strengthening cyber resilience or meeting data protection obligations, our team can help. We offer Data Protection Support, GDPR Audits, and Training to make compliance practical and effective. Contact us today.

Source

UK Government, “New cyber action plan to tackle threats and strengthen public services”.