The General Data Protection Regulation (GDPR) came into force three days ago. It provides greater control for data subjects, including consumers and employees, in a range of areas including in terms of how their personal data is lawfully processed, shared and secured.
Recent public focus has been on how data is used, with a growing public interest in exercising statutory rights, including obtaining a copy of data held on them – a right that is free under the GDPR – and, in some circumstances, seeking its erasure or rectification.
Attention has also remained on ensuring data is also appropriately secured as a means of seeking to avoid regulatory action from the Information Commissioner’s office, including fines, and the potential for privacy litigation by aggrieved customers or employees whose data may have been unlawfully accessed or disclosed.
Given the rise in cyber incidents throughout 2017, including major cross-border cyber disruptions such as the WannaCry ransom attack, it is perhaps unsurprising that the UK Government’s recent 2018 Cyber Security Breaches Survey found that almost half of UK businesses experienced a cyber security breach or attack in the last year.
On 10 May the Network and Information Systems Regulations 2018 came into force and provided further regulation in relation to where cyber incidents occur that have a significant impact on the provision of services in certain sectors. The Regulations form part of the Government’s five-year £1.9 billion National Cyber Security Strategy and are designed to enhance the security of, and public trust in, IT companies’ systems and data.
The Regulations seek to ensure that systems relied on to process information, control infrastructure and to transmit data are protected against cyber attacks.
Like the GDPR, the Regulations impose organisational controls, security and incident reporting requirements and provide for high penalties, but their focus is far wider – on security of IT systems, rather than security of the personal data processed by those systems.
In this regard, new IT security notification obligations are imposed upon Operators of Essential Services (OES) including those in the utilities, health and transport sectors, as well as Digital Service Providers (DSP), such as Cloud computing service providers and e-trading platforms. The UK Government anticipates at least 432 businesses will be affected by these Regulations across the five sectors of water, digital infrastructure, energy, health, transport and digital service providers.
Both OESs and DSPs must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems. These measures taken must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed – language which will be familiar to those acquainted with the GDPR.
Nonetheless, the notification requirements are far broader than under the GDPR. Any OES must notify “any incident which has a significant impact on the continuity of the essential service which that OES provides” with determination as to such significance turning on factors such as the number of users affected by the disruption of the essential service; the duration of the incident; and the geographical area affected by the incident.
A DSP must notify “any incident having a substantial impact on the provision of any of the digital services […] that it provides.”
OESs are obliged to make such notifications to a sector-specific authority, designated in the Regulations – for example OFCOM for the telecoms sector. DSPs require to notify the Information Commissioner’s Office.
Given the breadth of the notification requirements described above, the practical effect is that the Regulations apply to a broader range of incidents and scenarios, and that it is not just events affecting personal data that must be prioritised and responded to swiftly.
A maximum financial penalty of £17 million may be levied, which will cover all contraventions of the Regulations.
Critically, both OESs and DSPs are required to register with their relevant authority and the ICO respectively, with a deadline of 10 August 2018 for operators of essential services and 1 November 2018 for digital service providers.
On this basis, early consideration as to whether the Regulations apply to certain bodies and what preparations are required to ensure readiness in advance of these deadlines, is key.
James McGachie is Legal Diretor, DLA Piper