Regulatory Timeline | Cyber Security - April 2016
Published on 13th Apr 2016
“We continue to see (with ever increasing frequency and ingenuity) major businesses hit with crippling network security breaches and data losses. The financial and reputational consequences can be enormous. As a result of this cyber security is now a top priority for many boards, and is a focus of increased (and not always clear or consistent) regulation and regulatory scrutiny across Europe and beyond.”
Charlie Wedin, Partner, Osborne Clarke
3 March 2016 – Information Commissioner’s Office (ICO) guidance on encryption
On 3 March 2016, the ICO issued new guidance on encryption.
Organisations will be expected to review and consider whether they should take additional measures to comply with the guidance in the coming months, as part of their overall approach to ensuring compliance with the security requirements set out in the Data Protection Act 1998 (DPA).
Whilst the DPA does not specifically require personal data to be encrypted, the ICO takes the view that organisations should consider encryption, alongside other technical measures, to keep personal data safe. Where a lack of encryption has led to a loss of data, the ICO may take regulatory action.
April 2016 – Public-private partnership (PPP) on cyber security
The European Commission’s Digital Single Market strategy calls for the establishment of a PPP on cyber security and on 18 December 2015 the European Commission launched a consultation on the proposed PPP.
The proposed PPP would focus on innovation in cyber security, with the aim of producing for European businesses digital security products that are competitive, trustworthy, interoperable and respect fundamental rights, including the right to privacy.
The consultation closed on 11 March 2016 and the European Commission is due to provide its response during April 2016.
Q2 2016 – General Data Protection Regulation (GDPR)
The European Parliament and EU Council reached political agreement on a compromise GDPR text in December 2015, which was approved by the European Parliament on 14 April 2016. The GDPR introduces fundamental changes to data protection law, including the harmonisation of regimes across the EU, a significant increase in fines (up to EUR 20m or 4% of worldwide turnover) and the extension of the regime to non-EU businesses that operate in the EU.
The GDPR still needs to be formally approved by the Council and published in the EU Official Journal before taking effect. We expect it to be passed into EU law in the second quarter of 2016 and to become effective in Member States two years later. In the meantime businesses and European institutions will have to start taking steps to prepare for implementation.
The GDPR will introduce a regime of mandatory reporting of security breaches to the Information Commissioner’s Office (ICO) within 72 hours, and also in certain circumstances to individuals affected without undue delay. This obligation will also extend to data processors, who are currently not responsible for compliance under the existing Data Protection Act 1998. The GDPR therefore raises the possibility of competing security breach notification requirements, particularly in light of the incoming EU “cyber security directive” (discussed below), which will require careful consideration and planning by organisations affected.
Q2 2016 – EU cyber security directive: The Network and Information Security (NIS) Directive
The European Council, Parliament and Commission have reached agreement on the text of the NIS Directive. The NIS Directive requires, amongst other things, that operators of essential services (such as critical infrastructure in sectors such as energy, banking, transport and health) take appropriate security measures and report security incidents to national authorities. A lighter touch regulatory regime will apply to certain digital / technology businesses.
The NIS Directive will likely see the creation of a new regulator in the UK to whom certain network security breaches will need to be reported, raising the spectre of yet more (potentially competing) reporting obligations for businesses hit by a major cyber security incident.
We expect the Directive to come into force during spring 2016. Once in force, Member States will have 21 months to implement the necessary national legislation and another six months to identify the “operators of essential services” to whom the new rules will apply. Businesses potentially caught by the Directive need to start planning now.
For more information on the NIS Directive see here.