General Data Protection Regulation (GDPR)
The GDPR, which will take effect across the EU from 25 May 2018, remains the most significant legislative and regulatory change to impact on cyber security for some time. The GDPR requires data controllers and processors to take appropriate technical and organisational measures to guard against personal data breaches. This core requirement is accompanied by higher maximum fines for non-compliance (up to the higher of €20million or 4% of global turnover) and more stringent reporting requirements (including a 72 hour time limit for reporting notifiable breaches).
The EU Network and Information Security Directive requires certain providers of ‘critical infrastructure’, and certain digital services providers, to take appropriate technical and organisational measures to ensure the security of their networks and information systems – the Directive, unlike the GDPR, is not aimed at personal data but rather network security more generally – and to notify the relevant authority of any significant breaches that take place.
Under the UK’s proposed implementation, maximum fines will be up to €20million or 4% of global turnover, mirroring thoe under the GDPR. Regulatory enforcement powers would be given to industry-specific regulators.
Although not aimed at protecting personal data, the NIS Directive’s requirements contain some overlap with the GDPR, meaning that certain conduct could potentially breach both (with the risk of ‘double’ fines).
Security flaws in third party software and hardware
Malicious actors are searching for vulnerabilities and flaws in both software and hardware, with the new vulnerabilities such as “Meltdown” and “Spectre” seen as having the potential to cause significant issues.
In order to comply with the GDPR and (where applicable) the NIS Directive, companies will be expected to monitor such developments and implement appropriate security measures to mitigate their effect.
New cyber crime court?
Cyber security continues to be high on the legislative and regulatory agenda, with an announcement in 2017 that London may gain a new court specialising in fraud, economic crime and cyber crime. There are no details yet, save that feasibility studies will be carried out in early 2018.
Dates for the diary
|December 2017 (overdue)||UK government due to publish results of consultation on NIS Directive implementation.|
|9 May 2018||Deadline for compliance with the high-level principles of the NIS Directive.|
|25 May 2018||GDPR comes into effect.|
|November 2018||NIS Directive: detailed guidance due from sector-specific regulators.|