I’m going to go ahead and open with: I am not a lawyer. If you’ve had a data breach and you need to know if you should notify an authority, or the public, you should speak to a lawyer. Don’t take legal advice from a blog post. I was researching the requirement to disclose under UK law and I thought it was interesting so here are some (probably incomplete) notes to explain (my interpretation of) the current UK Law.
Interpreting and understanding law is a difficult thing. However many Information Security, Ethical Hacking, and Cyber Security degree courses feature understanding the law as a requirement. There’s also an awful lot of law and literature out there about the many offences that an individual could commit during the normal course of careers in offensive security roles such as penetration testing.