James Castro-Edwards, Partner and Head of Data Protection Law at Wedlake Bell, gives a law lesson on the implications of GDPR and NIS Directive and what to do now
Last week, the Department for Digital, Culture, Media and Sport (DCMS) issued consultations on bills that govern data protection and essential infrastructure. The pages of Silicon UK have covered the introduction of GDPR and NIS for several years but we thought you might like an analysis of the legislation from a legal perspective as the deadline for implementation nears.
On 8 August 2017, the UK government launched a consultation on its plans to implement the Security of Network and Information Systems Directive (NIS Directive), commonly known as the Cybersecurity Directive.
The NIS Directive is a European directive that will require certain categories of critical infrastructure providers to take steps to address the increasing number of cyber threats.
The consultation follows the government’s announcement on Monday of its intention to introduce a new Data Protection Bill that will implement the provisions of the European General Data Protection Regulation (GDPR).
Both pieces of law will take effect in May 2018, and both confirm the intention of the UK Government to maintain standards consistent with the European Union in relation to the digital environment.
Implications of the NIS Directive and GDPR
The NIS Directive will not apply to all organisations, only to ‘operators of essential services’ in the energy, transport, banking, financial market infrastructures, health sector, water and digital infrastructure sectors.
Broadly, it will require these organisations to implement appropriate security measures, and to notify incidents to the competent authority. However, the specific details will be decided by individual Member States, and have yet to be finalised.
In contrast, the GDPR will apply to any business, public authority or charity established in the EU that uses information about living individuals, whether employees, customers or suppliers. It will also apply to any business located outside the EU that offers goods and services to citizens in the EU, or monitors citizens’ behaviour in the EU.
GDPR will be brought into national law in the UK by way of the Data Protection Bill, and is intended to continue to apply after the UK leaves the EU.
The legislation imposes a number of standards upon those organisations to which it applies. It specifies that organisations must not only keep personal information secure, but that they have a duty of transparency towards the individuals to whom the information relates.
What is your biggest cybersecurity concern?
- Ransomware (28%)
- Humans / Social Engineering (27%)
- State sponsored hackers (14%)
- Malware (14%)
- Other (7%)
- Out of date tools (6%)
- DDoS (4%)
What to do now
In particular, the GDPR grants individuals enhanced rights of choice and control, including rights to be informed as to how their information is handled.
GDPR is significantly more prescriptive than the Data Protection Act 1998, which it will replace., Operators in the private, public and third sectors will have to take action to ensure they are compliant with its requirements when the new law takes effect on 25th May 2018.
GDPR became law on 25th May 2016, and included a two year ‘sunrise’ period, to enable organisations to bring their processing operations into line with its requirements, so there will be no further grace period once the new law takes effect. Compliance is expected from day one.
Both GDPR and NIS Directive impose security and reporting obligations on organisations within their scope, and operators of essential services will be subject to both the NIS Directive and the GDPR when they process information about individuals.
An entity subject to both pieces of legislation would be expected to report to both the data protection authority and the competent authority for the NIS Directive.
Organisations that will be subject to the GDPR should be well underway in their preparations for the new law when it takes effect in May 2018. Those that have not started yet, must move quickly. Compliance with the NIS Directive is currently more challenging since the final details have not been specified yet.
However, organisations that are subject to both laws should be able to leverage their GDPR security and reporting policies, processes and procedures to apply to the NIS Directive requirements when these are finalised.
James Castro-Edwards is Partner and Head of Data Protection Law at Wedlake Bell