A new era of data defence
2016 will mark a major step towards a digital single market in the European Union, with the General Data Protection Regulation (GDPR) and the National Information Security Directive (NISD) providing the legislative backbone for the future of cyber security and data protection within the EU.
In 2016 it is anticipated that we will see both the GDPR and NISD approved by the European Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives, with both pieces of legislation expected to come into force in around two years.
Underpinning the changes is a desire on the part of the EU to set common standards for data protection and cyber security across the EU, with unifying pieces of legislation. The GDPR and NISD will see a move away from the existing fragmented system, where each country has differing legislation and where businesses operating across the EU may have to comply with varying pieces of legislation.
The NISD and GDPR will see the introduction of pan European rules that provide increased protection for the consumer, in terms of their personal data, the introduction of minimum levels of cyber security for essential services and also the removal of red tape for businesses transferring data across the EU.
What changes can we expect?
The NISD will place a requirement on the providers of certain critical infrastructure to take steps to detect and effectively manage cyber security risks. The operators of essential services (including energy, transport, banking and health as well as key internet services) will also need to notify national authorities of any breaches to their IT systems that are likely to have a significant impact on the services that they provide.
The GDPR will promote greater accountability, increased transparency and controls in order to allow individuals to better manage their own personal data. Notable changes to the existing data protection rules include:
- Easier access to personal data for individuals
- A right for individuals to transfer their data between service providers more easily.
- A clarification on the right to be forgotten for individuals.
- The right for individuals to be notified when their data has been hacked.
How will these changes impact businesses?
At this stage it is difficult to assess in great detail how widely we can expect the legislation to apply.
What is clear is that the NISD will place a new obligation on businesses to disclose cyber security breaches. Once the text for the NISD has been released, businesses will need to clarify whether they are classified as an operator of essential services (the criteria for which is as yet to be defined), and thereby covered by the obligations under the NISD.
- For small and medium sized enterprises (SMEs), it is anticipated that the new GDPRs will significantly remove red tape in the following areas:
- No requirement for notifications to be sent to national authorities.
- Where requests for data are excessive or unfounded, an SME may charge a fee for providing the information.
- No requirement to appoint a data protection officer, so long as the main activity of the business is not data processing.
- No requirement to conduct impact assessments, except where it is deemed that there may be a high risk.
In readiness for the NISD, businesses should consider:
- How robust their existing IT systems are and whether they are capable of dealing with a potential cyber security breach.
- Conducting a thorough review of the existing security systems that are in place.
- Putting in place a cyber security policy, if they do not have one already.
When in force the NISD and GDPR will both come with potentially heavy sanctions for businesses where there has been intentional infringement by a business or the infringement is due to a company’s negligence. To avoid any unnecessary sanctions, it is imperative that businesses review their systems to ensure that they are fully prepared for implementation of the new legislation.
For more information on cyber security and data protection, please contact Debbie Venn, Partner and Head of Technology, Media and Telecommunications.
Published: 11 Mar 2016