Effect of GDPR on ICO approach to cyber security
The GDPR, which came into effect on 25 May 2018, is the most important change to the regulation of cyber security for some time.
The practical effects of GDPR on the UK regulatory enforcement landscape remain uncertain. The Information Commissioner’s Office (ICO), the UK’s data protection regulatory authority, has yet to publish details of any enforcement action taken under the new regime.
However, the GDPR has led to a sharp increase in issues notified to the ICO. The ICO recently confirmed that it had received 1,106 data protection complaints or concerns for the period from 25 May 2018 to 18 June 2018.
The Networks and Information Systems (NIS) Directive, which applies to operators of essential services and relevant digital service providers, was implemented into UK law on 10 May 2018 (through the NIS Regulations).
For organisations affected by the NIS Regulations, compliance should be carefully analysed – not least because there is the potential for ‘double jeopardy’ as between the fines that can be levied under the NIS Regulations and under the GDPR.
Proposals for EU Cybersecurity Act
In September 2017, the European Commission published a legislative proposal for a Cybersecurity Act. The consultation period for the proposals finished in December 2017 and it is likely that the proposals will be analysed by MEPs later this year.
Under the current proposals, the Cybersecurity Act would make two significant changes to the current landscape.
First, it would introduce an EU cybersecurity certification framework, in an effort to harmonise the numerous different security certification schemes in existence in the EU.
Second, it would increase significantly the scope and powers of European Union Agency for Network and Information Security (ENISA). Among other things, ENISA would be given a permanent mandate to assist Member States in responding to cyber-attacks (as well as responsibility for putting in place and implementing the proposed certification framework).
Is any new EU legislation expected to come into force and effect before the end of the transition period?
Certain key EU legislation has already come into force and effect, namely:
- the GDPR, which came into force on 25 May 2018 and has been supplemented in the UK through the Data Protection Act 2018; and
- the NIS Directive, which applies to operators of essential services and competent authorities and which was implemented in the UK through the NIS Regulations 2018 on 10 May 2018.
The E-Privacy Regulations, which replace the Privacy and Electronic Communications Regulations (PECR), have not yet come into force and effect. However, it is anticipated that the Regulations will be passed in late 2018 or early 2019, with a one year implementation period. On that basis, it is possible that the E-Privacy Regulations will come into force and effect during the transition period.
As we say above, the European Commission has also proposed a new “Cybersecurity Act”, along with legislation that would increase the scope and powers of ENISA. It is unlikely that these proposals will come into force and effect before the end of the transition period.
Is a new regulator needed, or do additional powers to be given to an existing regulator?
No new regulators will be required.
Under the GDPR (and the Data Protection Act 2018) and PECR, the ICO is the relevant regulator.
The NIS Regulations 2018 establish a number of “Competent Authorities” that have regulatory responsibilities for each relevant sector. The National Cyber Security Centre will be the “Single Point of Contact”, which is not a regulatory role but which will entail acting as the contact point for engagement with EU partners.
Is there an existing “equivalence” or “recognition” regime for recognising Third Country regulatory regimes?
There is no such regime for cyber security, but there is an existing “recognition” regime in relation to data privacy issues.
The European Commission can issue an “adequacy decision” in relation to a third country’s data protection regime. To date, the European Commission has issued “adequacy decisions” to 12 countries.
The UK is seeking a bespoke arrangement with the EU that goes beyond the adequacy regime, but so far the EU has resisted anything other than the existing mechanism.
Does current UK government policy mean that (subject to the terms of a future trade agreement between the UK and the EU) material changes to regulation or enforcement are likely post-Brexit?
The government intends to preserve the GDPR, and has already made provision for doing so by bringing into force and effect the Data Protection Act 2018.
Whilst the NIS Directive has been implemented into law, some aspects of the NIS Regulations require cross-EU cooperation (such as the participation in a Computer Security Incident Response Team network), which will depend on any future deal between the UK and EU.
What should businesses be doing now to prepare for Brexit?
- Ensure compliance with all current EU legislation that is in effect and in force and understand the effect and implications of the E-Privacy Regulations once these come into force and effect.
- Monitor the proposals for the EU’s Cybersecurity Act, to ensure you understand how any legislation might affect you (bear in mind that EU legislation in this space may continue to be relevant, whether or not the UK implements that legislation post-Brexit).
- If your business processes data in relation to EU citizens but does not have an establishment elsewhere in the EU, consider how you would comply with your GDPR notification responsibilities in the event of a data breach.
Dates for the Diary
|11 September 2018||Proposals for a draft Cybersecurity Act are currently being analysed by various EU committees. It is anticipated that there will be an analysis of the proposals by MEPs on 11 September 2018.|
|H1 2019||The current draft E-Privacy Regulations are currently awaiting EU Parliamentary reading. It is expected that the E-Privacy Regulations will be approved by the first half of 2019.|